Black Friday and Cyber Monday have come and gone, but was your checkout security ready to stop cyber threats?
Q4 is set to break higher spending records from previous years, particularly in the online shopping space. Projections show spending was set to hit $143.7 billion this year. A huge 14.1% increase over last year. Yet many online shops admitted they felt unprepared should a cyber attack target their online store. Order pages and checkout security top the list of fears, with news of fraud tactics (like e-skimming) dominating the headlines.
This period is always the busiest time of year for online retailers. High-risk merchants are so busy dealing with huge spikes in traffic and orders. Suspicious behavior is hard to detect and sometimes it can be weeks or months before you notice an issue. Many online merchants only become aware when a high volume of chargebacks are reported. Sometimes resulting in irreparable damage to their merchant account.
Cyber criminals are aware of these vulnerable points. They see it as an opportunity. Big brands (e.g. Verizon, Home Depot, Equifax and Kmart) have already had payment data stolen. Thus, you need to be extra vigilant to survive this period unscathed.
So, how do internet merchants establish a secure checkout and avoid a breach?
Checkout security (or lack thereof) poses the biggest threat to online merchants
First on the list for shoring up cyber defenses is the order page. Order page security can be easily compromised. Whilst there are many types of attacks, the most common method used to steal customer payments data today is e-skimming. Many merchants have fallen victim this type of attack in recent months.
This method sees attackers gain access to your site either via a successful phishing attempt, brute force attack, XSS (inserting malicious code), or third-party compromise. Once inside they then capture (in real time) the payment information your shoppers enter into each order page. This data is then used to facilitate shopping sprees for high-ticket items, adult entertainment, and expensive electronics.
As mentioned, third-party compromises are a common method for hackers to harvest valuable customer data. That’s why extra care must be taken when outsourcing web design and development work to cheaper and foreign teams. All it takes is for one lax employee with to completely debilitate a merchant’s website.
Even a small breach can result in the following consequences for a high-risk merchant:
- Lost confidence, so customers go to other merchants
- Online customer complaints and negative reviews
- Losses due to increased chargebacks and refunds
- Possible fines and penalties from card networks or your payments provider as well as legal costs required to handle the customer issues and complaints
- A terminated merchant account, be it MATCH or terminated merchant file (TMF)
- As a result of the above, going out of business can be a possibility
How can online merchants operating in high-risk verticals increase security?
Operating in consumer markets such as adult entertainment, health supplements and various subscriptions deems merchants as high risk. Which is why it’s so important to go above and beyond with protecting your customers’ personal data. Here are some tips to increase security within your organization.
Implement strong unique passwords
Weak passwords result in over 80% of company data breaches. Ensure portals (e.g. shopping cart, CRM, gateway) used to store customer data have two-factor authentication and a strong password. Strong passwords are at least eight characters. They also contain upper and lowercase letters, numbers and symbols. Passwords should never be shared with anyone. Each user logging in to these portals should have unique, private usernames and passwords.
Never use the same password for different software like your gateway, CRM or payment provider portal. Consider using a password manager. Never share sensitive information. Also, ensure security questions only contain answers you know so logins can’t be reset.
Often hackers look for weakness in devices such as laptops, desktops or cell phones. Protect them with the latest anti-virus software, rigorous firewalls and other tools. It’s also a great idea to have two-factor (or multiple-factor) authentication. Make sure you have timeouts set to a few minutes when it involves accessing customer data. Making it more difficult for attackers to gain access.
Train employees on how to spot phishing attacks
Phishing attacks have moved on a long way from emails telling you you’ve won the lottery or a prince who is looking to share his wealth! Citing that all you need to do is send your bank account information across to receive it. Phishing emails today can look identical to those sent by your acquiring bank or suppliers. Therefore, you need train staff to be extra vigilant over this Christmas period.
Items to look out for include:
- Obvious spelling and grammatical mistakes in customer names, email addresses or any personal customer data.
- Having too many customers from the same IP or using the same email address
- Card numbers that have the same BIN number that appear too often in a short time frame. The BIN number (Bank Identification Number) is the first 6 digits of the card. Often times fraudsters get a list of credit card numbers from the same BIN or have acquired prepaid cards from the same BIN that they plan to use for fraudulent purposes.
Is the mobile version of your website holding back your sales growth? Read these helpful tips on increasing mobile shopping cart conversion rates!
How to reinforce order page data and checkout security
Poorly bolstered checkout security and order pages provide criminals with clear targets for stealing sensitive data. Thus, every step taken to improve security defenses is crucial. Here’s how to ensure your site is both protected and compliant with modern standards.
Only store data you need
First and foremost, you should only store customer data that is critical in the everyday running of your business. Holding on to unnecessary volumes of data could see you lose that information to hackers. Furthermore, you could be risking compliance issues with the Payment Card Industry Data Security Standard (PCI-DSS), General Data Protection Regulation (GDPR), and California Consumer Privacy Act (CCPA).
Secure your website with encryption
There is no excuse for your website not to have SSL (Secure Sockets Layer) protocol to encrypt information on your website. Not only do SSL encryption certificates help to protect items such as credit card information, they help to build brand awareness and credibility with customers. Google has even come out and admitted that it penalizes websites that have yet to implement SSL protocols. Not encrypting your data is costing you sales!
Review third-party software and plugins regularly
Undertake regular reviews of all the third-party solutions you’re running within your store. Make sure that you know what they are, and if you’re no longer using them, remove them immediately. Never leave an old plugin active. Updates occur for a reason. Not updating plugins provides a back door for hackers to enter your website. The aim should be to reduce the number of third parties accessing your customers’ data while still operating your website.
Security for payment gateways and shopping carts
All online merchants need to make sure that their checkout pages are up to standard in order to work with popular payment gateways such as NMI. They, like many other providers, stipulate that carts have to be a minimum of Transport Layer Security (TLS) 1.2 standard in order to send transactions. However, merchants should aim for much higher. Merchants will likely need to invest in SSL certificates with the latest version of TLS installed. Free certificates provided with shared hosting no longer cut it for online businesses collecting customers’ private data.
Of course, there is a positive branding aspect to this upgrade as well. Customers will feel more comfortable when they see a big green padlock at the top of their page when checking out. So, they are less likely to abandon their cart as trust symbols help your conversions. This is particularly the case for consumers who are ordering on mobile versions of your website.
Merchants should be working with payment gateways that help with security and machine-learning anti-fraud measures such as 3DS2. Also look for providers who take advantage of tokenization technology.
Tokenization makes customer authentication during purchase possible without affecting the transaction’s security. A token is a random string of characters that replaces sensitive information, such as a 16-digit credit card number. So, a stolen token number is meaningless to cyber criminals.
Follow PCI compliance protocols
Adhering to PCI security guidelines is a must. Non-compliance fees from card companies are an unnecessary hit to your bottom line over time. Holes in your security could leave your web presence open to an attack so severe that it cripples your business. Breaches as a result of non-compliance have negative consequences. This includes hefty fines, costs associated with forensic research, and huge legal/PR costs. Even worse is the loss of credit card processing if you get MATCH listed or TMF’d.
Despite those risks, recent surveys have found that only half of companies are compliant. Worse still, increasing numbers of merchants are failing their PCI compliance tests. Compliance is measured by a self-assessment questionnaire which differs for each industry. You can also complete a PCI scan. An approved vendor will inspect your site for vulnerabilities. Make sure to undertake annual audits and relay changes in compliance requirements to web development teams.
Poor checkout security results in negative consequences
Cyber attackers take advantage of the high volume of holiday season transactions. They do this to test a website’s defenses. Plus, they sneak into website infrastructure undetected. By taking the right action, merchants can mitigate most of the risks associated with holding sensitive consumer data. High-level encryption, strong passwords, regularly-updated software, and tokenization are a few helpful defences. They stop would-be hackers in their tracks.
Not investing in order page and checkout security at such a crucial time of the time of year can ruin sales for Q4 and permanently thereafter. The effects of a data breach are difficult to overcome for high-risk merchants, especially those that get MATCH listed or TMF’s as a consequence. So, it’s not worth the risk.