GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Payments' place in the retail playbook - Part 2

Dale S. Laszig

News

Industry Update

Retailers challenge PCI, seek federal intervention

Data breaches, EMV advance new fraud trends

CFPB to processors: Don't turn blind eye to fraudsters

CFPB seeks public comment on 'payday' loan guidance

Features

U.S. credit card users like installments. A lot

Open-loop prepaid will play a role in next loyalty move by Starbucks

Aaron Mercurio and John Grund

Be vigilant about data vulnerability

MCX pulls plug on CurrentC

Views

The misguided 'kill the check' chorus

Brandes Elitch
CrossCheck Inc.

Guide your startup so it won't implode

Ken Musante
Eureka Payments LLC

Education

Street SmartsSM:
The alternative financing rebrand wrap up

John Tucker
1st Capital Loans LLC

Think PII, not just PCI

Fran Sachs and Ross Federgreen
CSR Professional Services Inc.

Paper reports, online portals can coexist

Steven Feldshuh
Merchants' Choice Payment Solutions East

Consolidation in acquiring

Adam Atlas
Attorney at Law

How integrated, complementary technologies lift valuations

Adam Hark
MerchantPortfolios.com

Company Profile

Upserve

New Products

Brandable, EMV-certified mobile payments

AprivaPay Plus
Apriva LLC

Biometrics for enhanced, selfie authentication

Eyeprint ID
EyeVerify Inc.

Inspiration

The pursuit of large merchant accounts

Departments

Letter from the editors

Readers Speak

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

June 27, 2016  •  Issue 16:06:02

previous next

Be vigilant about data vulnerability

When it comes to the inherent risks of protecting business data, the landscape is constantly shifting. While the entryways for fraudsters to steal information have not changed dramatically, the highly motivated fraudster community is relentlessly seeking and finding new modes of attack, making risk mitigation a tricky business.

Criminals are generally considered crafty people, but data thieves, in particular, are ranked in the upper echelon of offenders. This is primarily due to their stealth, which make their strikes tough to anticipate. This factor gives them the offensive position and leaves business owners to continually live on the defensive.

When a business accepts any form of electronic transaction, it is more susceptible to fraud. Thus, data vulnerability takes on new dimension. This is why payments industry leaders have taken steps to implement merchant accountability measures such as EMV (Europay, MasterCard and Visa) and the Payment Card Industry Data Security Standard.

Yet, as any risk and security professional would counsel, these steps tend to drive perpetrators into dark corners where they can contemplate the next phishing scheme or viral attack.

Risk models

Certain business types are at greater risk than others. High-volume retailers, for example, must have rock solid security practices in place. Even the simplest steps, such as immediate firewall updates or routine scanning for possible points of failure, can make the difference in being able to prevent fraudsters from sneaking in through a back door.

"So far in 2016, the monthly percentage of scans that we've seen pass on the first attempt has remained steady, hovering between 66 and 71 percent," said Cory Miller, Director of Security Operations at ControlScan Inc. "Failures are most often a result of weak or deprecated encryption, outdated software, insecure remote access or SQL injection vulnerabilities."

The Internet is also a breeding ground for fraud due the vast data that passes between consumers and businesses each day. As small to midsize businesses increase usage of contemporary call-to-action buttons and request forms, vulnerability will also increase. With little to no resources for conducting ongoing security scans, these businesses fall prey to perpetrators simply because they wrongly assume their payment gateways are covering all their security bases.

"We have seen on many occasions businesses leaving themselves open to attack by lacking basic input validation in their web forms," Miller said. "What may seem like an innocuous form field can lead to leakage of sensitive data if businesses aren't demonstrating secure coding practices and regularly testing their applications."

Businesses that use call centers or take payments by phone are also at risk. While these companies must have smart social engineering plans, their data-entry environment is also an open-door to fraud when security measures are overlooked.

"Take the data away from the equation and then there is no opportunity for fraud," Iain Regan, Global Sales Director at Semafone Inc., told The Green Sheet. "This is the key to supporting the multi-channel payments journey securely."

Semafone, a global voice security company, counsels clients to allow call center workers to telecommute, when possible. Regan noted this tactic makes it more difficult for hackers to find a system entry point, and it enhances workforce stability, which also promotes greater security. "It's an emerging business model because it helps a company retain quality people, and that's the biggest issue in this space," Regan said. "Companies are finally going away from the Draconian environment where they lose good people."

Latest vulnerability measures

In today's business climate, it appears the need for third-party vulnerability scanning remains high. ControlScan confirmed that its latest projects are to address legacy encryption and weak ciphers, SQL vulnerabilities on web apps, out-of-date software, and end-of-life operating systems.

"External vulnerability scans provide visibility into the weaknesses left exposed to the Internet every day," Miller said. "External testing is important because it provides a glimpse into what outside attackers are seeing."

Other security companies are exploring new techniques, such as passive vulnerability assessments, which are designed to sniff everyday data interactions instead of conducting broad scans to proactively hunt for inconsistencies and other red flags.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios