Previously featured on Forbes Business Council
Digital commerce has both given merchants more ways to accept payments and given criminals more ways to intercept and steal payment transactions. A 2023 LexisNexis study found that 60% of ecommerce merchants and 53% of retailers reported higher levels of fraud over the past twelve-month period. Researchers observed that most criminal activities occur during new customer sign-ups and when accepting payments.
These are prime areas of focus in my company’s merchant services. In fact, my partner, Dave, and I recently had to help one of our customers remediate a cybersecurity incident. The process, which involved forensic investigators, federal agencies and legal advisors, took over four months to complete and highlighted the importance of business owners taking a proactive approach when monitoring, detecting and stopping physical and virtual fraud.
sponsored by
As we reflected on this and similar experiences, it occurred to us that we are also seeing a steep rise in crime, both in-store and online, and our merchants are asking for advice about how to deal with these types of threats. Based on these discussions, here are six tips on how to keep your business secure, alert and compliant in the digital-first era.
1. On-Premise Inspections
In your store, someone could be walking up to a point-of-service (POS) device and embedding a skimming device on the front of an ATM card reader or inside a countertop POS terminal. Manufacturers are creating card readers with flush surfaces on ATMs and PIN pads to prevent this type of tampering. Nonetheless, I recommend inspecting the card readers on your machines and looking for skimming devices.
2. Velocity Settings
Your payment gateway should have velocity settings to prevent your ecommerce website from being attacked by fast-moving fraudsters, who can route thousands of transactions through a website. Velocity settings on gateways limit the number of transactions in a specific time period to help prevent a brute force attack on a website, which can involve hundreds or even thousands of transactions. These controls make transactions invisible so that scammers who try to upload a file will see that no transactions are being processed and move on.
You can also use filters to limit the number of transactions that can be made by a specific user, block specific IP addresses and countries that are known to engage in criminal behavior, block bot attacks with reCAPTCHA challenges, and validate shoppers with CVV and address verification filters. As we have seen with recent lawsuits, gateways that fail to implement these controls can be held responsible. Some have even paid back the merchants, but often only after merchants suffered catastrophic losses and legal actions that could have otherwise been avoided.
3. Control Of Access Points
Cybersecurity insurance typically covers losses due to unauthorized access to a business website, which may result in lockdowns, ransomware attacks and data mining. These attacks typically occur when employees click on links that redirect them to fraudulent websites where they mistakenly enter sensitive data or expose employer websites to backdoor attacks.
The average employee uses an average of 3.6 devices, but you can limit this type of exposure to threats by restricting the number of devices that can access your business network, limiting authorized devices to specific areas of a network, and restricting usage to business-related activities. You can also minimize exposure by using cloud applications that require strong authentication. When contracting with an insurer, most carriers will require companies to comply with payments industry guidelines stipulated by the PCI Security Standards Council (PCI SSC).
4. Blocking Phishing And Smishing Attacks
Block emails from unknown or suspicious sources at all times, and educate employees to “just don’t click” on any links within emails, text messages and instant messages. We routinely receive emails claiming to be from our banks or Amazon that look surprisingly legitimate. However, upon closer inspection, you may find that one or two of the letters in an email or URL are from a personal Gmail account or contain Cyrillic letters from a Russian keyboard. Rather than run the risk, just don’t click.
5. Controlling Permission Levels
Maintain an up-to-date list of each employee and provide access to the information each person needs to perform within the organization. Keep access and information on a need-to-know basis to prevent errors and protect sensitive data. In addition, IT managers should remove the access of former employees to the network immediately. These steps can help your company meet basic compliance requirements and protect inadvertent or intentional access to company data.
6. Multifactor Authentication
We sometimes get complaints from customers when mobile apps want them to change their passwords. While this is for their protection, I have found that companies need more than just password protection. Multifactor authentication combines something that you know, such as a password, with something you have, such as a device, and something that you are, such as a fingerprint, iris scan or other type of biometric. Even two of the three options can help protect your organization better than just a password, which is typically easier for hackers to obtain.
Physical, Virtual Safety
Another key finding in the Lexis Nexis Risk Solutions report was the cumulative impact of major data security breaches over the past two decades. Researchers noted that criminals are tapping into massive amounts of compromised consumer data to forge synthetic identities and transact with stolen credit and debit cards. They note that merchants should continuously monitor digital payments and buy-now-pay-later transactions, which account for 37% of fraud.
Most people don’t realize how many connected devices are in their homes and offices. And yet, smart televisions, Android and iOS wearables, WiFi-enabled printers and security cameras are staples of many modern homes and offices. These smart machines, with deeply embedded technologies, are part of the Internet of Things (IoT), an ever-expanding attack surface of always-on, always-listening digital assistants and devices that can be exploited by hackers.
Hackers have become more sophisticated than ever before and are mounting attacks at scale. That’s why I recommend taking a proactive approach to security rather than risking the fines, legal fees and expenses that can occur in the aftermath of a security incident, not to mention the tremendous hit that organizations can take in terms of revenue, customers and reputation.
Previously featured on Forbes Business Council
CLICK HERE TO FIND MORE ABOUT OUR PROGRAMS
FAQ: Frequently Asked Questions
What are common payment fraud tactics?
Fraudsters use methods like skimming devices, brute force attacks on payment gateways, bot attacks, and phishing scams to steal payment information.
How can businesses protect their payment systems?
Businesses should conduct regular on-premise inspections to check for skimming devices, implement velocity settings on payment gateways to limit transaction attempts, and use filters to block suspicious IP addresses and bot attacks.
What role does cybersecurity play in fraud prevention?
Cybersecurity measures like CVV and address verification, reCAPTCHA challenges, and blocking high-risk regions help prevent fraudulent transactions.
How can merchants detect fraud early?
4. How can merchants detect fraud early?
Monitoring transaction patterns, setting up alerts for unusual activity, and using fraud detection tools can help merchants identify fraud before it escalates.
Where can I read the full article?
You can find the full article on Forbes.
