Best Practices for eCommerce Merchants Against Cyber Threats
Visa has put out a warning about a sophisticated group of cyber criminals who are carrying out large-scale, organized attacks on merchant accounts. The group, known as FIN6, uses phishing emails to get its malware into merchants' payment processing software. So how do they do it?
When customers place orders with an infected merchant, their credit card data is copied over to servers controlled by FIN6. The stolen credit card information can then be sold on the black market to other fraudsters.
Cyber security experts consider FIN6 to be one of the largest and most aggressive groups currently operating. Some analysts have estimated the value of their stolen card data to be upwards of $400 million.
Less quantifiable is the damage to consumers' trust in online shopping when thefts like this occur. Even when breaches involve technological exploits that merchants can't be expected to have anticipated, it's easier for customers to blame the merchant they know rather than shadowy, faceless cyber criminals. So it's up to merchants to employ the best practices possible to protect themselves from these kinds of attacks.
FIN6's methods may be highly advanced, but there are still plenty of practical steps merchants can take to reduce their likelihood of becoming victims. These are the procedures Visa recommends for this type of cyber threat:
Assess Your Condition
The first thing to do—and the step you'll want to repeat regularly—is to find out if you're already infected. Visa has laid out a list of indicators of compromise (IOC) that you (or your IT staff) can look for. These mostly consist of file names and network activity.
Install All Required Security Patches
Keeping your payment processing software up to date with all the latest patches is mandated by the Payment Card Industry Data Security Standard (PCI DSS). Which means, as a merchant, you should already have this covered, but if you've let it slip for any reason, get your software patched and updated immediately.
Make a Habit of Scanning for Malware
FIN6's scheme requires malware programs to be installed on their victim's computers, transmitting stolen data back to them. Scanning for malware should be a routine occurrence for all of the systems in your network, and don't rely on free programs you can download off the internet—when the theft of cardholder data is at stake, you need professional-grade security services.
Use a Fully-Hosted Checkout Solution
This may not be feasible for every merchant, but for those for whom it's a viable option, outsourcing the checkout process ensures that your own computers won't be the originating source of any cyber attacks. The hosting company, which receives the payment data directly from the customer, would be responsible for protecting cardholder information. Even embedded forms like Visa Checkout can provide this added layer of separation between the merchant and the payment credentials.
Use a Payment Processor Validated by the PCI DSS
Going beyond just the checkout page, you can contract any and all of your payment processing operations to third-party providers. They can be responsible for storing, transmitting, and processing payment data, giving the merchant fewer points of contact with this data and leveraging their own security assets against any possible attacks.
When choosing a third-party provider, Visa recommends selecting one that has been registered and validated by the PCI DSS.
Shore Up Overall Security
Lastly, Visa recommends following a number of common-sense security protocols that will defend against FIN6 attacks as well as the more ordinary ones you're likely to see coming from garden-variety fraudsters:
- Set up a firewall to protect your web applications from suspicious requests. There are low-cost and even free programs that can do this.
- Limit access to administrative accounts only to individuals who absolutely need them.
- Use strong passwords and two-factor authentication.
- Regularly patch all software used in your ecommerce operations.
- Regularly scan your network for suspicious activity.
- Consult PCI DSS's website for industry best practices.
- Train your staff to follow best practices and recognize suspicious activity.
From a chargeback management perspective, it's very important to know and follow best practices for ecommerce security and to be aware of the newest and most serious threats. The chargebacks that result from stolen card fraud are the legitimate kind that cannot ethically or effectively be fought; all you can do is accept them and blame the fraudster for creating a bad situation for merchant and customer alike.
The good news is that when you reduce your vulnerabilities to legitimate fraud chargebacks, the majority you're left with are the sort that you can fight against—and win—if you have the right documentation to back up your case. Along with good record-keeping, carefully formulated return policies, and other good operational practices, you must have thorough and up-to-date cyber security measures in place to protect yourself.
Fraudsters will always come up with new ways to take advantage of companies like yours. Chargeback Gurus can help you to fight and prevent these scams. For topic requests, questions or advice, please submit them to: firstname.lastname@example.org