OPINION-2

Guest Post – Minimizing Risk: Five Ways Payment Facilitators Can Stay Secure and Keep Merchant Risk At Bay

Derek Schultz

Attackers are developing new methods of stealing sensitive information every day, making retail breaches an all-too-common occurrence. But an important line of defense for merchants are their payment facilitators, which, when armed with the right knowledge, can act as digital bodyguards for these brands.

Read on for some current threats that ISOs, acquirers and payment facilitators need to look out for in today’s security landscape to protect their merchants, customers and their bottom line:

1. Watch out for Transaction Laundering
The lesser-known, but quickly increasing, counterpart to money laundering, transaction laundering, is a major threat to payment facilitators, putting them at risk for fraud, brand damage or worse.

How does it work? Attackers will leverage a legitimate business’s website and use it to mask a hidden website selling goods or services that are prohibited by payment card brands.  Payment facilitators are often the victims of these schemes themselves, as merchants may also be complicit in a Transaction Laundering scheme. Facilitators should be vigilant in scanning for these types of attacks to protect themselves from their merchants — wittingly or unwittingly — being party to this activity.

Payment facilitators should educate themselves on how to spot the signs of these illegal and undisclosed e-commerce transactions, or partner with a third party who is trained to do so, to avoid accidentally facilitating damaging transactions.

2. Pay Close Attention to New and Evolving Malware Families
Malware at the point of sale continues to be a problem, and it’s important for facilitators to continue to prioritize protecting against new and emerging malware families. In investigations from Trustwave’s 2016 Global Security Report, 60 percent of all breaches target payment card data. Malware families like Carbanak, Cherry Picker and Punkey are still prominent as criminals continue to look at the POS as an effective method of stealing data that can be quickly monetized.

Facilitators need to implement malware protections for their merchants, as the ISOs are ultimately responsible for the ramifications that come with malware infiltration. Implementation can differ between ISO and Payment facilitators but should probably include a combination of computer security for addressing card-present and card-not-present merchants.  Having a security tool at these endpoints can help mitigate certain threats, as well as provide a level of assurance to the ISO or payment facilitator that there are some levels of protection in place.  Mobile security can also be included, especially if there is a large mobile segment.  This can be in the form of a mobile security app to monitor the mobile system, check for malware and report status back to the merchant and the ISO or payment facilitator, which will also provide some level of assurance.

3. Don’t Forget About Card-Not-Present (CNP) Threats
Once EMV was deployed in the United States, card present security and fraud efforts received a boost, as criminals began to look elsewhere for victims. In the U.K., we saw this first hand as CNP fraud soared dramatically after EMV implementation, since no chip is required at the website’s “point of sale”. As EMV continues to be deployed, e-commerce transactions will be even more targeted for fraud. In 2015 Facilitators must implement a layered approach and put in a structure for monitoring for risk on the web in addition to at the physical payment terminal. This monitoring system can be something that the ISO or payment facilitator takes on themselves on behalf of their merchants, or they can provide it as an additional service.

 4. Strike a Balance Between Human Touch and Automation
Automated security checks are one way facilitators can save a business money and decrease the number of resources they are using. While automation is certainly beneficial, payment facilitators should pair this with a manual form of testing, such as penetration testing, to find real-world scenario vulnerabilities that a malicious actor might also find. In the case of transaction laundering, much of the work to identify these schemes comes from automation—from data gathering and intelligence, and to merchant website testing for actual laundering activity.

Strong testing programs are essential for monitoring for illicit merchant activity, but that program should not cost them a ton of money in terms of effort, scale and implementation. Automation and manual testing go hand in hand as equally important pieces of the security puzzle for ISOs.

5. Go Beyond PCI Compliance
Ensuring that your merchant portfolio is staying up to date on requirements for security standards such as PCI DSS helps to cover your security basics, but facilitators should remember that compliance does not necessarily mean security. Often, merchants assume that because they are PCI compliant, security is automatic, which can be a very costly mistake. Instead of focusing on simply “checking the box” to meet the guidelines, businesses should focus on how to secure their environment first, so that they inherently become compliant. For ISOs and Facilitators, this should include providing their merchants with easy to use, professional tools, so that security assessments are easy to conduct. In addition, ISOs and facilitators should make sure they are protecting themselves and their merchants by monitoring for card brand issues and illegal content.

Security is a journey, not a destination. As criminal tactics evolve and changes are made to a business’s environment, vulnerabilities become commonplace and it’s critical that businesses identify and remediate them on a regular basis before it’s too late.

By taking these tips into consideration, merchant service providers can reduce their risk of becoming the next hot headline. Ensure your merchants are compliant, aware and proactive about their security, so that both provider and merchant will ultimately increase revenue and reduce risk.

Derek Schultz has been a payments industry professional for more than 10 years, currently Director of Payment Partner Programs at Trustwave, a global leader in security and compliance management solutions.  His various skills include; relationship networking, product promotion, business development, and operations.

 

Want to contribute an article?

ETA invites our members, government employees and select non-profits and trade associations to submit articles to be considered for publication. Click here for more information.

The views expressed in the posts and comments of this blog do not necessarily reflect those of ETA.