Right controls crucial to prevent incidents on Cyber Monday and beyond
This year has seen many more businesses moving online, adopting ecommerce models in an effort to continue to reach their customers as Covid-19 wreaked havoc. While this has opened up markets to hundreds of thousands of new customers, it also has the potential to create vulnerabilities that cybercriminals can exploit.
As November is traditionally the month of sales, including Black Friday and Cyber Monday, we see increased online activity and a corresponding increase in cybercrime activity. In 2020, the model seems to have shifted to a full month of specials and deals online, which makes having the right controls in place to protect customer data, including their payment information, absolutely essential.
Make sure the payment systems are compliant
Customers want the ‘experience’, and do not have anything to do with backend systems. It is therefore on businesses to make sure systems are secure – they have a responsibility and liability to customers.
Aside from the e-commerce platform, which needs to be secure, the payment gateway is crucial. This is especially important at this time of year with increased transactions around Black Friday (or Black November as it has become) and Cyber Monday sales. Payment Card Industry Data Security Standard (PCI DSS) compliance is the minimum standard required, and all payment gateways need to be compliant.
Know the risks
The biggest threat with online transactions is that cybercriminals compromise specific websites, injecting malicious code that intercepts data sent to the payment provider. The payment is then forwarded on to the payment provider, and the user is therefore unaware that their transaction has been intercepted and their details compromised. This exploit is particularly successful because nobody is aware of the theft of card details until it is too late.
One notable example of this exploit is Claire’s, accessories company which confirmed in June 2020 that criminals intercepted payment card details used on its online store for a number of weeks. This compromised information is generally gathered into a database and then sold on the dark web.
This form of exploitation is also utilised in targeted, organised attacks from syndicates who will trigger attacks, either shopping online or cloning cards and drawing cash or shopping physically. These kind of attacks are performed on a global scale, with simultaneous attacks running in several countries at a time, making them difficult to trace.
Make sure you have controls in place
Having PCI DSS compliance is the minimum level of security control that anyone who accepts credit card payments should have in place. It is not a guarantee that there will not be a problem, but it is the first step and provides a certain level of assurance.
All parties involved need to be taking all necessary steps to secure payment data and sensitive customer data. Compliance with PCI DSS requires that processes are in place to reduce risk, and a compliance audit shows that parties involved have been checked and validated.
Visa, one of the largest payment brands in South Africa, is putting pressure on retailers and e-commerce businesses to become compliant, as they (and other payment brands like MasterCard) are the ones that ultimately suffer as a result of fraudulent attacks. It is also in the best interest of merchants to be compliant.
In the case of fraud, a forensic investigation is performed, and if the merchant is found liable they will be penalised. However, if they can prove compliance with PCI DSS and that they have controls in place, the likelihood of this happening is reduced.
Be prepared for the abnormal
Being PCI DSS compliant is necessary from a credibility point of view and also for making sure that you have met the minimum control requirements. Online businesses also need to be prepared for abnormal activities, especially as transaction volumes increase at certain times of the year.
Having the right processes in place to identify and deal with potential incidents is key. This ensures you can identify and stop an incident and be back up and running as quickly as possible, so you do not lose business and can keep trading.