Payments in Focus Insight that keeps you ahead of change

6 read time

Security Protection Tips to the 4 Most Common Breaches

Wednesday, June 10, 2020

Updated on June 10, 2020: As reports of fraud continue to increase during COVID-19, keeping your business and your customers safe is paramount. This article explores how to protect against four of the most common areas of exposure your business may encounter during this vulnerable time.

During times of instability like that of the COVID-19 global pandemic, cyber threats increase as cybercriminals look to exploit businesses when their attention is turned elsewhere. However, by keeping your eye on security, knowing what vulnerabilities to look for and taking precautionary steps, you can greatly reduce your risk of a breach.

These are the four most common vulnerabilities that cybercriminals are on the hunt for:

1. Unsecure third-party vendors

One of the most common vulnerabilities that directly impacts the security of your business' environment is the use of unsecure third-party vendors. These vendors often provide businesses with payment processing services, but not in a secure manner.

Data thieves have learned they can exploit unsafe vendors to reach several customers and compromise the business' clients' credit card information. One common example involves vendors utilizing remote access to the customer's processing environment for routine maintenance. The data thieves looking to exploit a business leverage default passwords or phishing scams directed at the vendor to obtain credentials that grant them access into a business' environment to deploy malware, ultimately leading to card data being compromised.

“Ensure you know all of the third-party vendors that are involved with your credit card environment, and know their roles in that environment," advises Stacy Hughes, Chief Information Security Officer at Global Payments. “You should know if those vendors are PCI DSS compliant and if they are implementing their processes securely."

In addition, verify what security functions your payment provider uses such as encryption, tokenization and 3D Secure to reduce your customer data and fraud risk. A well-secured vendor can offer payment security products that can greatly protect you, and reduce your chance of becoming the victim of a data breach.

2. Security patches

Another common vulnerability involves security patches. In many cases, businesses are not aware that routine security patches for their firewalls, antivirus software or software platforms are out of date. Software and platform providers often release security updates for users to implement to ensure their software is up to date to protect against cyber attacks.

“You should complete every necessary security patch on all systems that are linked to your processing environment," said Hughes. “You can schedule these routinely so you don't have to worry about missing any necessary changes."

"By keeping your eye on security, knowing what vulnerabilities to look for and taking precautionary steps, you can greatly reduce your risk of a breach."

3. Weak or stolen passwords

According to Verizon's 2019 Data Breach Investigation Report, 80% of hacking-related activities involve compromised or weak credentials. Typically, weak passwords are the result of using default passwords, such as “password," “welcome," “12345," from third-party vendors. In many cases, account holders forget or fail to change the password that was assigned arbitrarily from a third-party vendor to gain first-time entry. The end result? Hackers exploiting this vulnerability.

“It's imperative that you create unique passwords associated with your computer systems, internet access and payment environment," Hughes says. “Use strong passwords that include at least seven characters with numbers, symbols and letters – at least one capitalized. And change it frequently, preferably every three months."

Stolen passwords are easily obtained by hackers through phishing attacks. Hackers pretend to be a legitimate contact (for example, part of the IT team) and reach out to your employees trying to trick them into providing their password.

“It's crucial to train your employees on how to protect themselves from phishing attacks, as well as on company security policies. For instance, employees should know to never give out their passwords or login credentials and to be suspicious of emails requesting them," Hughes says.

4. Ecommerce vulnerabilities

Card data thieves will search websites for a number of vulnerabilities like weak or outdated SSL certificates or software platforms. Software platforms like Adobe's Magento often release security updates for users to implement to ensure their software can protect against the latest cyber attacks. However, individuals that are responsible for managing the ecommerce implementations often are not aware, or simply have not taken the necessary steps, to upgrade their solution with these security updates. This leaves them vulnerable to a cyber attack. Cybercriminals can then utilize JavaScript skimmers where they inject malicious JavaScript code into the merchant's website to steal the credit card data.

What's more, cybercriminals are now sophisticated enough to create copies of the merchant's shopping cart or iFrame so they can steal card data. And, to the cardholder, it appears they are still directly on the merchant's website when, in fact, they are not.

Any entity that handles credit cards and accepts them as payment is responsible for ensuring they handle all credit card data securely as guided by the Payment Card Industry Data Security Standard (PCI DSS).

To help you stay on top of security, the following due diligence checklist can help:

  • Have your software platforms been patched with any and all security updates? Are you using the latest version of the software?
  • Do you know whose responsibility it is to implement the updates and patches? Yours or the hosted service provider? Visit the PCI Data Security Standards and reference the roles and responsibilities breakdown in the appendix. It's important to ensure your shopping cart has the most up-to-date security features when accepting payments via the internet. Having a third party such as your payment processor or acquirer maintain or “host" some of these features including JavaScript or iFrames can help better secure your customers' data.
  • Ensure you're utilizing the most secure SSLl/TLS certificates such as TLS 1.2
  • Always remember the big three elements present in most breaches:
    • Software updates and patching are baseline controls critical to your security
    • Password management and strong passwords are essential
    • Tightly manage and limit adminstrative access, as well as any remote access to the administrative portal

If you discover or have been notified that a compromise may have occurred, take these steps:

  • Stop processing on the compromised ecommerce environment, at least temporarily. Seek alternative processing methods such as credit card terminals through dial-up.
  • Do not delete anything or attempt to “clean-up" any data. This could impact the success of any needed investigation.
  • Customers of Global Payments should notify us immediately.
  • Notify your third party hosting provider (if applicable).

As you navigate today's new commerce landscape, we're here to help keep your business and your customers safe. To do so, we created the Merchant Protection Program to assist you with securing your processing environment and achieving PCI DSS compliance. Another helpful resource is the PCI SSC Merchants Microsite, which has many useful guides including patching resources to help with outdated software.