The Top 5 Mistakes Merchants Make That Cause Security Vulnerabilities

From a lack of system maintenance to slow responses to breaches and incidents, merchants tend to make the same mistakes that lead to security vulnerabilities.

And as technology gets more sophisticated, unfortunately, so do the methods fraudsters use to exploit companies’ vulnerabilities. With point-of-sale (POS) breaches and card skimming (where fraudsters steal card information by compromising physical card readers like ATMs) in decline, fraudsters are shifting their attentions to ecommerce. Now with the pandemic having forced more businesses to adopt online sales channels than ever before, these bad actors have struck gold.

Fraudsters will often target businesses’ payment systems, and as we’ve seen with several high-profile breaches, no company is safe—even the largest players are subject to the impacts of fraud. For instance, in 2019, Macy’s experienced a data breach when hackers successfully compromised their online checkout and e-wallet systems.

The key to not falling victim to these security breaches is to be aware of the kinds of fraud being orchestrated against businesses and understand which vulnerabilities play right into fraudsters’ hands. In this blog, we’ll outline common ecommerce security threats, along with the top 5 security mistakes online merchants make that expose them to fraud.‏‏‎ ‎

The most common types of ecommerce security threats

It’s important to know what kinds of security threats you need to be looking out for in order to shore up your defenses and prevent them. Here are three of the most common types of ecommerce security threats:

• Chargeback Fraud: A chargeback is when a card issuer returns funds back to a customer. Chargebacks are designed to protect customers, but they can also be exploited by dishonest buyers to obtain free merchandise. Chargeback fraud occurs when a customer disputes a purchase with their card issuer or bank over claims that are untrue. In these instances, merchants not only have to deal with merchandise and inventory losses, but may need to pay some hefty fees too.

• Credit Card Testing: Credit card testing, also referred to as authorization testing, is when a bot or automated script is used to test lists of illegally obtained credit card information via a merchant’s website. These kinds of attacks can devastate merchants—potentially bankrupting smaller businesses—because they are obligated to pay the authorization fees issued by the card associations whether the purchases go through or not.

• E-Skimming: E-skimming is a type of cyberattack in which hackers hijack an ecommerce store’s checkout page to steal customers’ personal and payment information as they enter it. This can be done by inserting a piece of malicious code into a webpage or by gaining access through a compromised third-party. In this blog, we’ll be especially focusing on how you can prevent this and similar kinds of fraud.

The top 5 mistakes compromising merchant security

The simplest thing you can do to protect your business from payment fraud is avoid the following merchant security mistakes most often exploited by fraudsters. Think about it like you would your own home security—the least you can do to protect yourself and your home is lock your doors. No one can promise that your system will never be breached, but it’s common sense to block and prevent access through known openings so you can instead focus your energy on preventing or mitigating the unexpected.

1. Lack of system maintenance

Out-of-date software opens your B2B ecommerce website up to potential vulnerabilities that hackers can exploit. You’ll want to ensure your website and any SaaS solutions you use to manage ecommerce are being continuously updated. This should inform which ecommerce platform you choose from the outset. Some questions worth asking are: “Is this platform making frequent automatic updates?” and, “What security features does this platform provide?”. We often think of design and ease of customer use when considering ecommerce solutions, but it’s equally important that security play a deciding role.

The best practice: In addition to the built-in monitoring capabilities your ecommerce platform may already have, it’s a good idea to augment your security measures with a dedicated solution that has more robust capabilities for continuously monitoring your site for potential issues. Enabling notifications when specific thresholds are surpassed is critical to stopping fraudsters before it’s too late. In setting this up, you’ll need to make sure the right person on your team is receiving those notifications—if any issues do arise, you’ll want to make sure they’re available and able to address them right away.

2. Lack of password and customer data management

The 2020 Verizon Data Breach Investigations Report found that 37% of instances of credential theft used stolen or weak credentials. Not surprisingly, enforcing the use of strong passwords across your organization is one of the first steps towards protecting your and your customers’ data. Protect your customers’ data even further by only storing the information you need in your system. Opting for a secure payment processor that tokenizes customers’ payment information ensures your team never sees that data, helping you remain compliant with PCI standards (the requirements businesses must follow in managing credit card transactions) and prevent sensitive data from being accessed by fraudsters.

The best practice: Have a policy in place ensuring the use of strong passwords across your business, establishing rules for changing hardware and software default passwords, and restricting access of those credentials to only those who need it. When creating passwords, aim for longer character length, include special characters and numbers, and vary your use of capitalization. The more unique your password, the more secure it is.

According to the PCI Security Standards Council, a password with 12 characters, varied capitalization, one number, and one special character would take as many as 344,000 years to crack, whereas a password with only six characters, no capitalization, no numbers, and no special characters would take just 0.077 seconds to crack.

3. Lack of employee education

Having security software in place is vital but can be rendered useless if your employees aren’t trained on how to follow necessary security protocols. Companies have gotten better at training their team members to recognize potential phishing—the practice of sending emails that appear to be from a reputable sender to obtain personal information—attempts, yet these still account for 22% of security breaches according to Verizon.

The best practice: Phishing attempts have gotten more advanced, often using social engineering to deceive unwitting targets. Make cybersecurity training a standard part of your onboarding process and have employees vigilantly screen emails for the telltale signs of a phishing attack such as spelling and grammatical mistakes, incorrect URLs or email domains, and suspicious requests for money transfers. Have clear processes in place for your customer service team to vet the validity of customer requests asking to make any changes to their account.

4. Third-party vulnerability

Any third-party that has access to your environment can expose you to vulnerabilities. In February of 2021, supermarket giant Kroger experienced a data breach through a security vulnerability in a third-party cloud service the company used, allowing hackers to access sensitive records.

The best practice: For any third-parties you give access to your system, ensure you are setting the appropriate access credentials for them. You’ll also want to regularly monitor these third-party credentials and any plugins or third-party integrations you have. If a service you no longer use still has access to your system, you’ll want to remove them right away. The fewer doors you open into your system, the safer your data will be.

5. Slow response to vulnerabilities and incidents

Often with data breaches, a vulnerability will have existed for some time before it’s exploited. IBM estimates the average time to identify a breach in 2020 was 228 days. Every second counts when it comes to detecting potential vulnerabilities. Once you are aware of a potential vulnerability, it’s important that you address it immediately. A business’ slow response to a breach can not only net them a negative reputation, but also significant fines if not communicated to customers soon enough.

The best practice: The appropriate mentality to have when it comes to security incidents is not if they’ll happen, but when they’ll happen. Your best shot in mitigating the effects of a potential fraud attack is prevention. Have tools in place to continuously monitor your systems and have a dedicated plan of action in case of an incident, including which team members will need to be involved.

Partnering with the right payment processor

Security breaches are difficult to resolve, so it’s critical merchants take preventative measures to minimize risk. By understanding what common ecommerce security threats look like, and which steps to take to avoid vulnerabilities, merchants can better protect their businesses and stop fraudsters in their tracks.

When choosing a payment processor, look for a provider that will act as a true partner to your organization—they should be working with you to put in place controls that will help minimize chances of fraudulent activity.

Partnering with a payment processor that integrates directly with your ERP can also support security priorities by limiting contact of that sensitive data.

To learn more, chat with one of our experts about how you can start securely accepting payments across a variety of channels, with direct integration with your ERP and lower processing costs.‏‏‎ ‎‏‏‎ ‎