We countdown 20 information security tips for payment processors in Data Protection 101, our series on the fundamentals of information security.
There are two primary drivers behind the premium that payment processors place on information security:
- They want to avoid public embarrassment and lawsuits associated with the loss or unauthorized release of customer information. It is also a good way to ensure that their reputation is intact and that users can trust them with their money and their financial details.
- They want to make sure that payments are processed the right way. If something goes wrong at any step of the process, it could mean sales losses and errors in order fulfillment.
Information security covers a wide variety of concerns and threats. Some are technical and related to technology. Others involve humans, such as a disgruntled employee or a third party who has physical access to the information systems.
The potential for financial fraud is higher for online transactions than in-store dealings. However, with the right processes and tools, it is possible to mitigate the risk of an attack and keep customer data safe to protect the business. This also helps avoid chargebacks, penalties, and unnecessary fees and fines.
General Information Security Tips for Payment Processors
Information security as a whole is incredibly complex. At the end of the day, sound information security practices for payment processors can be summarized into three main overarching objectives:
- Do everything that a company would normally do when it comes to cyber and information security.
- Remain compliant with established regulations.
- Monitor all endpoints (continuously).
Adhere to all security best practices and keep everything up to date.
As a payment processor, you are required to do everything an ordinary company would do in order to keep their systems secure. For instance, you need to ensure that you have the right anti-virus and anti-malware software. You also should update your software and operating systems as soon as new updates are available.
This ensures that you have all the security patches up and running and minimizes the possibility of having a known vulnerability exploited by cyber criminals. Meanwhile, the anti-malware and antivirus software is a deterrent that can help you avoid attacks that leverage the vulnerabilities in outdated software.
While implementing top-notch information security protocols can be complicated, there is a good shortcut: strive for compliance with different payment regulations. The Payment Card Industry Security Standards Council (PCI SSC) has the PCI Data Security Standards. It is a list of requirements for PCI certification that can serve as your checklist in keeping personal and sensitive information secure. You are not required by law to be PCI compliant, but being certified communicates that you take information security seriously and that your customers should trust you.
If you process credit card payments, then being PCI compliant can protect you from hefty fines in the event of a data breach.
Another set of rules that you need to know is Europe’s General Data Protection Regulation. The GDPR establishes a list of security measures that you should remember in order to keep your customers’ private and personal data secure. GDPR compliance is especially important if you have payers who live in or are citizens of the European Union.
Check all endpoints.
These tips involve common-sense steps that you should take to make sure that your customers' data are safe. You should always use private Internet connections instead of public Wi-Fi networks when dealing with payments. Also, limit the number of people who can access these details.
Moreover, you should make sure that every component of your system is secure. Do not limit yourself to just installing antivirus and anti-malware software; you should also check every point of sale terminal, credit card readers, and every other endpoint connected to your system.
Keep reading for 20 essential information security tips you should know (and follow) as a payment processor.
1. You might want to consider moving credit card details to a third party.
If you are a merchant that handles your own payment processing and need to store credit card numbers, you might want to use a third-party company for this purpose.
For example, if you need to have credit card data stored for recurring or installment billing, you can use a credit card vault provider. The provider will give you a token that you can use for billing purposes. You do not store the details yourself.
Third-party companies can be better at keeping credit card details secure. You still have access to these details even without storing any of the data on your end. The provider is probably better equipped and has the expertise and security controls to handle sensitive financial information. Just be sure to properly vet your provider and make sure they follow the same or better security protocols.
2. SSL certificate is not enough.
Some people might think that they are secure online just by implementing SSL certificates, but this is not true. In fact, if you currently have a software running on SSL 3.0 or lower, then you would need to upgrade to something that uses Transport Layer Security (TLS).
SSL and TLS are used to secure websites, e-mails in transit, files, remote network logins, and remote databases.
Once you have switched over from using only SSL, you also need to make sure that the new set up is secure. You might need to conduct a new penetration test and vulnerability scans, in order to guarantee that no new vulnerabilities are present.
You should also make sure that you have the latest TLS version. You can enable automatic updates to make this simple.
3. You need vulnerability scanning.
If you store cardholder data or other sensitive financial and personal information, you should have a third party conducting vulnerability scanning for you. This indicates that not only are you aware of your system's weak links but that you are able to plug them. You also need to undergo vulnerability scanning in order to stay compliant with PCI SSC rules.
4. Get to know what a vulnerability scan is and what it involves.
A vulnerability scan uses an automated tool that checks your systems for vulnerabilities and security holes. These tools use your IP to remotely scan your networks and applications and creates a list of vulnerabilities of the devices, systems, and services that hackers and cybercriminals could exploit.
The good news is that there are scanning vendors that are recommended by the PCI and other agencies that you can work with. Plus, vulnerability scanning can be very simple. There are providers that can do vulnerability scanning without you having to install anything on your computer or network.
5. Perform vulnerability scans on a regular basis.
Because hackers and cybercriminals can be creative and flexible, and new vulnerabilities are discovered almost on a daily basis, you should complete a vulnerability scan every 90 days, or at least once every quarter. If you are aiming for compliance, you need to have a passing scan.
6. Monitor all transactions.
Transaction monitoring is when you supervise critical applications and services by looking at each transaction that comes into your infrastructure. There are several monitoring tools that can help ensure fast performance and troubleshoot bottlenecks in your system. Studying these transactions, along with other log files, can help you identify security threats both from within your organization and outside of it.
However, you need to make sure that all logs and transactions are secure. All firewalls, servers, devices, and other IT assets must be impenetrable. A good log manager software will help you analyze transactions and secure your IT assets.
7. Use an address verification system.
An address verification system compares a person's billing address with the address on file. It helps fight fraud when dealing with credit card transactions and uses the numeric portions of a billing address. For example, if your billing address is “567 Market St. Beverly Hills, CA 90210,” the AVS will check “567 90210.”
Not only does this protect you from fraudulent activity, but it also helps ensure that the billing address is correct without your customers having to verify.
8. Require a CVV or card verification value.
Another way to fight fraud online is to require a CVV. CVV is a security feature that helps the system determine that the user has his or her credit card on hand. The CVV is a three- or four-digit number printed on the credit card itself.
Both the CVV and the address verification system will help thwart fraudsters who only have a credit card number.
9. Require stronger passwords for your users.
Sometimes, cybercriminals and hackers prey on users who are not concerned about how secure their accounts are or those who do not know the difference between weak passwords and strong ones. Some users disregard their online security and use very weak passwords.
Taking the time to choose a hard-to-guess password is very important. Even if hackers try to use brute force to guess users’ passwords, it will take them time to succeed at it. Most password-cracking software will first try combinations of a user’s name, address, birthday, city of residence, and other personal information, as well as words in the dictionary and popular number sequences.
If you think of it that way, then you can appreciate just how difficult it is to crack “65@L+V1N+dY0909,” as opposed to “1234567890.”
Here are the elements of a strong password:
- Has at least seven letters.
- Does not contain the user's real name, user name, or company name.
- Is not a dictionary word.
- Has both upper case and lower case characters, numbers, and special characters.
10. Make it easier for your customers to recover their passwords.
Requiring your customers to use strong passwords will mean that some of them will inevitably forget what password they’ve used. That’s why it’s imperative to have a customer password management tool that can help them recover their passwords and log in. Without one, you will be handling far too many phone calls from frustrated users who can’t access their accounts.
Password recovery tools send users a temporary password to the e-mail address or mobile number connected with their account. This will allow the user to access their account and change the password. Alternatively, some services send a password reset link via email, which the user can click and configure a new password.
11. Level up your access control.
Access control is no longer about just letting your users, partners, and vendors into their accounts; it is more about controlling what users can do with their accounts. This means that you need to manage your users’ credentials, giving more access to trusted users, partners, and vendors. This helps make your system more secure. Even if one user account is compromised, a hacker would not be able to do as much damage to your system if that user has minimal access to sensitive information.
Next-generation access control should work on a “need to know” basis, where users are only allowed access to the information they need to finish their tasks or purchases – nothing more.
Be sure to have all the necessary security checks when you accept mobile payments. Even if the buyer pays via mobile, the same level of security should be observed.
These mobile payment systems are not fail-proof. For instance, except for mobile payments made with near-field communication technology, there are cases in which man-in-the-middle attacks are able to intercept the communication between a phone and the Point-of-Sale terminal to steal financial information.
Android Pay, Samsung Pay, and Apple Pay are deemed to be very secure. Apple even has several ways to authenticate transactions using fingerprint scanning when paying. Samsung Pay also has PIN and fingerprint authentication, as well as iris verification and face scanning.
12. Use a firewall to secure your web applications.
If you use a web application somewhere in your payment process, you should know that many web applications are vulnerable. Be sure to use a web application firewall to secure your web apps.
13. Use a four-pronged approach to stamp out human error.
Employees and other people can make mistakes that put your entire system at risk. As a payment processor, that could mean that financial data gets exposed or stolen. Here are four ways to help minimize the risks of human error:
- Malware prevention. Some employees unknowingly download malware onto their computer or mobile devices and then connect to your systems. You can avoid getting infected by these if you have anti-malware software installed on your systems.
- Access control. Limiting the credentials of your users is a good way to ensure that hackers and cyber criminals do only minimal damage even if they do obtain a legitimate user account.
- Access tracking. You should use logging mechanisms to monitor your users' activities and minimize the risk of compromising user data. In the event that there is hacking involved, knowing who used the system, what your users accessed, and where they go can help you figure out what kind of data they have and how to minimize damage.
- Security awareness. More than anything else, your employees and other insiders should know and understand your company's information security policies. Training is imperative to educate people on what to do in order to keep the system safe and what to do if they suspect breaches or commit lapses.
14. Be on the lookout for DDoS attacks.
A Distributed Denial of Service, or DDoS, attack is when cybercriminals bombard you with traffic, thereby restricting or denying access for legitimate users to your payment processing system. For example, if your system can handle 100 users clicking on the login button at the same time, the attacker would send 100 or more fake login attempts, effectively shutting your system down.
Fortunately, there are several ways to fight DDoS attacks. For instance, you can write scripts or use firewalls to block malicious traffic. There is also special equipment that can detect and filter out malicious traffic. You can ask your ISP to either increase your bandwidth or offer some kind of mitigation against these attacks. However, the best way is to work with a cloud service provider that can help mitigate DDoS attacks and even add to your capacity in the event that you are experiencing these types of attacks.
15. Do more with penetration testing.
Passing a vulnerability test is one of the requirements to be PCI compliant, but penetration tests do more than just vulnerability testing. A penetration tester is a trained engineer that acts like a hacker in order to help you discover vulnerabilities in your system. It also allows you to verify that your network is set up the way you intended it to be set up.
16. Mask personal account numbers and other sensitive data.
As a payment processor, you are required to mask personal account numbers. As a rule, you are only allowed to display the first six digits or the last four digits of an account number. This is true whether the account number is printed on a screen or on paper.
You can display a maximum of four to six numbers, but the fewer, the better. In other words, if you do not need to display the account number, then you should not display it at all.
17. Evaluate your third-party service providers.
When it comes to security, you are only as secure as the weakest link. If your system has Internet of Things (IoT) components, then you should make sure that every IoT device or sensor is secure. For some companies, working with a poor third-party service provider can be their downfall.
If you have a real need to outsource any part of your payment systems, then you should conduct due diligence. Always check if the third-party vendor is secure; do not evaluate vendors on cost alone.
Be sure that all contracts and agreements are well crafted. Non-disclosure agreements should cover all security incidents. You might need to educate the third-party provider on your company's security policies and service level agreements.
There should also be well-defined service level agreements where you and the third-party provider are very clear on who is responsible for what in terms of performance, security, and other related components.
18. EMV is not enough.
Banks and other experts have reported that EMV chips are more secure than magnetic stripes. Although they can help to prevent fraud, EMV chips are not failsafe. Unlike magnetic stripes, you cannot make a fake credit card with EMV technology. This is true even if you have the correct credit card number. However, when using EMV cards, credit card numbers are still transmitted, and the information can be stolen during transit. EMV technology is also limited to preventing fraud in situations where the card is present. Stolen card numbers can still be used online.
To fully protect your payers, you must ensure that credit card details are protected in transit.
19. Use tokenization.
If you are dealing with credit card numbers and other personal financial information that is used repeatedly, you can use tokenization to help secure the data.
This is a process where sensitive data are converted into random data that can be stored and used later. For instance, instead of storing the credit card number 5678 9101 1121 1314, the card number is converted to some random code such as dbd-1115ajcd. Even if somebody was able to steal the token, it will be utterly useless to them.
Tokenization is able to secure details when data is at rest.
20. Use point-to-point encryption.
While tokenization is a good way to secure credit card details at rest, point-to-point encryption helps secure credit card data while it is in transit.
Point-to-point encryption turns credit card details into unreadable code while they are being transmitted. The code can only be deciphered by a person or system that has the correct key. Even if hackers are able to get the code while it is being transmitted, it will be useless to them unless they also have the right key.
Comprehensive information security practices are paramount for today’s payment processors, yet it is becoming increasingly challenging for companies to cover their bases when the threat landscape is continuously evolving. Coupled with tightening regulations, payment processors are under tremendous pressure to maintain robust security for clients and end users. Following these 20 essential tips will help you get on the path to sound information security.