The payment card industry data security standard, the PCI DSS , has made it clear that you as the merchant are the gatekeeper to your company’s and your customers’ data security1. It’s your responsibility to be the first line of defence when it comes to fighting payment fraud. So while adopting the latest technology can be part of that gate keeping role, you also have to make sure that all your company’s internal procedures are as efficient and effective as possible when it comes to payment systems.
Breaches cost businesses moneyThe BIS 2014 Information Security Breaches Survey reported that 81% of large organisations had experienced a security breach of some sort. The cost to each organisation was, on average, between £600,000 and £1.5 million.
But small companies are equally as at risk. According to government figures , a third of small businesses suffered a cyber attack from someone outside their business last year. The average cost of a major security breach is between £65,000 and £115,000 and can result in a business being put out of action for up to 10 days3 .
The threat is real and as we have seen on many occasions, there is no one fail-safe way to keep fraudsters at bay and your business and customers’ card data safe.
In its Cyber Essentials document, the government says: “Responding to and managing the vast range of cyber threats that UK organisations continue to face is a significant undertaking, involving the investment of people, money and time. Regardless of their size, use of technology, the industry sector in which they operate and their global presence, every organisation needs to implement a robust and effective approach to cyber security4.”
You have to implement as many measures as necessary and make sure that each and every one of these preventive, protective and detective measures is implemented fully and correctly. And, just as importantly, maintained.
Ensure you have adequate protectionEvery company that operates online should have a correctly configured boundary firewall, internet gateway or equivalent network device. Without one, cyber attackers can gain access to your computer systems with ease and access the information they contain.
The government’s Cyber Essentials scheme, which advises companies on the basic technical protection needed to protect them from cyber attacks, says that as a minimum you should have at least one firewall (or equivalent network device) installed on the boundary of your organisation’s internal network(s)5.
This should be protected with a strong password and the administrative interface used to manage boundary firewall configuration should not be accessible from the internet. Remember that any devices your business uses need to be correctly configured and maintained to ensure that only the data and traffic that is relevant to your business is permitted to pass through.
Keep your security software up-to-dateMalware protection is another essential. Computers that are exposed to the internet should be protected against malware infection and the software that protects your computer and networks should be kept up-to-date “at least daily”, according to the government's cyber experts, either by configuring it to update automatically or through the use of centrally managed deployment4.
The same applies to patch management. Vendors of software regularly provide fixes for identified vulnerabilities when they emerge. This can sometimes be as often as weekly and these come in the form of software updates known as patches. Applying operating system and application patches as soon as possible after they become available is a positive way of mitigating cyber security threats, so make sure that your business manages these patches and software updates effectively, in order to stay as safe as possible.
Once your software and security measures are in place there are further steps you can take to ensure that payments are not compromised. Being compliant with the industry standard for card payments, the payment card industry data security standard ( PCI DSS ) is a good way to make sure that you have taken all the necessary steps to protect payments online. For more information take a look at our article Introduction to online security .
Fight fraudsters – wherever they areBut there are additional measures you can take to beef up security around card payments. While Chip and PIN helps fight fraud in face-to-face transactions, when it comes to cardholder-not-present (CNP) transactions, you can’t always be sure who’s on the other end of the payment. Initiatives such as Verified by Visa and MasterCard SecureCode require your customers to identify themselves with a pre-registered password before each transaction. It adds very little time to the process and helps reduce credit card fraud online by declining transactions when the wrong password is entered.
Barclaycard offers fraud screening solutions (fees may apply) that can analyse the most targeted areas and fraud trends to spot potential risks and threats and identify attacks, so goods and services are stopped from being dispatched to fraudsters in as near to real-time as possible. They also give the ability to block suspicious accounts and give you advance notice of potential chargebacks, so you have more time to investigate and prepare a defence.
3 The Telegraph - SMEs failing to guard against cyber attacks, Government warns
4 The Telegraph - SMEs failing to guard against cyber attacks, Government warns
5 The Telegraph - SMEs failing to guard against cyber attacks, Government warns