For the past 19 years, the National Cybersecurity Alliance and the U.S. Cybersecurity & Infrastructure Security Agency have recognized October as National Cybersecurity Awareness Month to promote data security best practices. Throughout the month, small business owners and corporate leaders should take time to learn the risks, identify gaps in security practices, and implement new strategies to fend off cyberattacks. Businesses that accept and process large volumes of payments – especially retailers, restaurants, and e-commerce marketplaces – need to be especially vigilant of fraud attempts and cybercrime. According to a recent study from Card Not Present, every dollar of fraud committed in e-commerce transactions represents $3.75 in losses to the merchant – representing a marked increase from 2019.
With that in mind, spend some time ensuring that your organization evolves its data security practices and reduces the risks of payments fraud – this month and throughout the year. Get started:
Stay up to date with emerging payments fraud risks and impacts.
Business leaders are generally aware of the reputational and operational risks of fraud – but may underestimate the magnitude of these potential losses. The annual IBM Cost of a Data Breach report shows the massive costs organizations incur after cybersecurity incidents. The report estimates that in 2022, companies lose $4.35 million per data breach event and 83% of surveyed companies had experienced more than one data breach event in the past year.
To avoid reputational, operational, and financial losses, keep yourself informed on the most pressing sources of cybersecurity risk:
- Digital skimming: Fraudsters infect a website with code that “skims” payment card information while it is being entered into a website during payment, while the merchant and cardholder remain unaware.
- Ransomware: Harmful code infiltrates and disables an organization’s computer system and holds the data hostage to collect a ransom payment from the organization.
- Card not present fraud: Attackers leverage online, over-the-phone, and mail-in purchases to conduct fraudulent transactions – relying on the fact that the merchant never sees a physical card as part of the verification process of a payment.
There are no easy answers for combating these threats, but constant vigilance can help. This includes regularly scanning and testing eCommerce sites for vulnerabilities or malware and monitoring the eCommerce environment. For a deeper dive into data security treats, Forbes online news magazine featured the top data security threats of 2022.
Audit your current practices and establish regular check-ins for ongoing security.
Original data security precautions can be thwarted by shifts in store setup, device additions, expansion and administration of eCommerce services, new payment access points and changes to operational procedures. Any one of these can leave a business more susceptible to security control failures, malicious attacks, or accidental information leakage. So, begin looking at what’s changed for your business this year that could have inadvertently created a weak point in your data security set up.
- Physical device security: Mount payment devices on locking stands and place in locations that you and your staff can see and control to minimize risk of tampering or theft. Also, maintain a list of all devices and develop a routine to inspect them for tampering or substitution. When not in use, store mobile payments devices in locked cabinets or tether to the counter securely. Record the identifying attributes of the device – serial number, model type, operating system, etc. – and regularly review who is authorized to use it.
- Ecommerce website security: Check your shopping cart software, update operating system versions in a timely fashion, remove inactive plugins as soon as possible, and make sure your SSL certificate is current and renewed on time each year. If you use an outside vendor to develop and maintain that site, be sure the coders don’t leave HTML source code wide open for fraudulent authorization testing. It is important to ensure your source code is well hidden.
- Employee access security: Validate your processes for strong passwords and user authentication, as well as employee access and logins, and consider implementing multi-factor authentication. Train employees to recognize risk, such as Phishing and social engineering, and how follow appropriate security protocols.
- PCI DSS compliance validation and patches: Review your organization’s adherence with the Payment Card Industry Data Security Standard (PCI DSS) compliance on a quarterly basis. Annual PCI validation only reflects a point in time and must be diligently upheld with consistent frequency to ensure payments data security. If you find gaps in your processes during these reviews, make a plan to address these quickly and effectively to maintain compliance and customer trust. Further, make sure you understand how your vendor or service provider notifies you of new security patches and be sure you receive and read these notices. For eCommerce businesses, ask your eCommerce hosting provider whether they patch your system and how often.
Cybersecurity Awareness Month will go by quickly – be sure to make these best practices part of your organization’s regular processes to ensure data security year-round. Educating your employees, discussing data security with your partners and vendors, and prioritizing fraud-preventing initiatives are vital steps to protect your organization in the evolving digital-first world.
* By selecting this link, you will leave Elavon content and enter a third-party website. Elavon is not responsible for the content of, or products and services provided by this third party, nor does it guarantee the system availability or accuracy of information contained in the site. This website is not controlled by Elavon. Please note that the third-party website may have privacy and information security policies that differ from those of Elavon.