GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Social media reshaping the marketing landscape


Industry Update

SEPA moving forward incrementally

Square evolves but will it prevail? by Visa the answer or an answer?


Research Rundown

A company built for its agents

Reach out and engage someone

Selling Prepaid

Prepaid in brief

Longevity, inclusion sought in new AML rules

Risks posed by extra links in prepaid value chain


Money isn't what it used to be

Jeffrey I. Shavitz
Charge Card Systems Inc.


Street SmartsSM:
EMV, are we there yet?

Bill Pirtle
C3ET Credit Card Consortia for Education & Training Inc.

'Tis the season of happy (hacker) days

Rich Running
SecurityMetrics Inc.

Pushing past roadblocks to success

Jeff Fortney
Clearent LLC

Game plan 2012

Karin Bellantoni
Blueprint SMS

Getting Level 4 merchants to the PCI doctor

Tim Cranny
Panoptic Security Inc.

Discipline and persistence pay off

Peggy Bekavac Olson
Strategic Marketing

Company Profile

SignaPay Ltd.

New Products

A virtual call and payment center

IVR Pay-by-Phone gateway
Global eTelecom Inc.

A cloud-based payment remedy for docs

Medical office billing/payment portal
Kareo Inc.


Giving - the scalable solution


2012 Calendar of events



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

December 12, 2011  •  Issue 11:12:01

previous next

'Tis the season of happy (hacker) days

By Rich Running

Did you know the Information Systems Audit and Control Association predicts the average American will spend 32 hours shopping online this season? The outlook for cyber shopping is indeed optimistic, especially since the first ever billion-dollar spending day occurred last December.

In total, 2010 holiday e-commerce spending reached a whopping $32.6 billion, according to comScore Inc. And eMarketer expects at least 12 percent in online sales growth during November and December 2011.

Hackers love the holidays

Unfortunately, when online shopping increases, so do opportunities for hackers. An influx of online customers ushers in a hacker invasion seeking to exploit unsuspecting, careless, rushed shoppers. Successful online holiday sales can put a merchant's e-commerce business in more jeopardy than ever.

Business networks are the most vulnerable during the three weeks following Thanksgiving, according to the ISACA. Website security should be top of mind for retailers. Your merchant customers may think, "I was fine last year, so I'll be fine this year." These are the famous last words of nearly every hacked business.

The truth is security problems are getting worse; hacking is becoming easier. In years past, hackers required exceptional computer skills to gain entry into someone's system. Those days are gone. Hacking templates are increasingly popular, with experienced hackers creating scripts that help amateur hackers easily gain access to websites. Hacking has become child's play.

Protecting your merchants

The Privacy Rights Clearinghouse found that 80 percent of small businesses that experience a data breach either go bankrupt or have severe financial difficulties within two years of the breach. Even if an online business avoids the forensic fines, auditing costs and card brand penalties, customers don't forget a lack of security. Hackers use customer information to apply for credit, take over existing accounts and order from online stores. Customers avoid websites that have been hacked.

While it may be difficult to put visions of revenue on the back burner and focus on security, it's well worth the time. It is crucial for your merchant customers to know the potential security risks of e-commerce and learn how to protect their brand and customer information. Fortunately, you can help merchants avoid security liability during the holidays in several ways.

Don't store it

An effective way to protect merchants is to prevent customer card information from being stored on their business networks. A card data discovery tool can help retailers find customer card data on their systems and greatly reduce any chance of card data theft. After all, merchants can't lose what they don't have.

Bob Russo, General Manager of the PCI Security Standards Council spoke in 2010 regarding data discovery. "Before you bring in a QSA [Qualified Security Assessor], you really need to use some kind of methodology to find where cardholder data is on the network," he said.

A good card data discovery tool takes less than five minutes to download and begin using. It checks a network for anything that may resemble card information so merchants can securely delete the data and potentially identify its source.

Also, as human beings, we have a tendency to overlook flaws in our own creations. That is why authors have editors, builders have inspectors and merchants have Approved Scanning Vendors (ASVs). An ASV will regularly scan a merchant's site for exploitable vulnerabilities and alert the merchant so he or she can address issues before they become problems.

It is important for merchants to take care when selecting an ASV. They must ensure that the ASV is reasonably priced, PCI council-approved and provides a person who can field your questions.

Configure and update

It's not enough to install a firewall; it must also be configured correctly. If a firewall is not correctly configured, hackers may enter a network and install malware. This malware probes a merchant's network and can be programmed to aggregate sensitive payment information and send it to criminals.

Proper firewall configuration entails simply adding rules to block inbound and outbound traffic into a merchant's system by controlling access to certain vulnerable ports. By default, a firewall may be entirely open, closed or somewhere in between. Controlled outbound traffic is just as important as inbound traffic, because if someone does happen to sneak in, he or she shouldn't be able to take any information out.

Applications regularly release updates to patch security holes. Security is the number one reason to continue updating to the latest version of the software you're using. Once hackers know they can get through a security hole, they pass that knowledge on to other hackers who can exploit that knowledge. You must install updates on Internet browsers, firewalls, application software, POS terminals and operating systems to fix holes that hackers could squeeze through.

Be vigilant

Remind merchants to never send or receive email with sensitive account details like unencrypted passwords, user names or credit card details to your customers. You never know who is on the other end of the email you are sending or who may be watching it on its way there.

Customers are becoming more security-savvy and now check for certain security cues when browsing and shopping. According to research done by Synovate/GMI, 83 percent of online consumers want more assurance that their information is secure.

Tell merchants to check their websites from the outside-in by examining their landing and transaction pages specifically for security. Make sure each page indicates a strong level of encryption with an SSL (Secure Sockets Layer) or TLS (Transport Layer Security) certification in the URL.

Check for evidence of malware such as pop-up ads and suspicious activity.

An e-Christmas wish list

Following is a checklist of the important points in this article. It's not all-encompassing, but it is a tool you can give merchants to help ensure their businesses are naughty, not nice to hackers this year.

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios