Strategy to address risks of cyber fraud to merchants
Cyber crime has been on the increase in recent years. Incidents vary from deliberate and focused attacks to automated and opportunistic gathering of sensitive information.
Any site with a computer network is at some degree of risk of cyber attacks. In most cases the object of such attacks is to obtain confidential information to the dishonest gain of the attacker and often to the disadvantage of the attacked party. Attacks can be carried out by a variety of instigators such as disgruntled employees or ex-employees, professional hackers or malicious software.
The article deals with this very topical issue and in the words of Erik van As, Product Development and Strategy Officer at Spinnaker Software, "it is critical for merchants to take note of this real threat to retail business today. We as a company invested time and resources to design solutions to proactively mitigate these threats, to protect our clients."
Card fraud and EFT
Merchants who facilitate card payments by means of integrated EFT solutions are especially at risk because there is the potential that card information might be processed or stored on devices on their network, which in the case of a data breach where fraudsters obtains this information, can result in potentially high financial penalties to the merchant, as well as reputational damage.
Possibly the most costly criminal cyber activity is in card (payment) fraud, specifically card-not-present (CNP) transactions. CNP transactions typically refer to where a consumer enters card information online to facilitate payment (airline tickets, etc.) Fraudsters make use of card information such as card and CVV numbers printed on the card itself and which are also embedded in the card's magnetic strip, to facilitate online payments such as airline tickets etc. The South African Banking Risk Information Centre (SABRIC) reports a 12.6% increase in CNP fraud from R168.1 million in 2014 to R189.2 million in 2015.
Says Van As: "To help our clients mitigate this risk, Spinnaker has worked closely with our card payment service providers to design solutions which isolate the card payment environment (CPE) from the rest of the network. This segmented solution, which has been implemented as standard practice since 2014, places the entire CPE on a separate network than your existing store environment, thus reducing the risk of cyber attacks".
It is strongly advised that all clients with integrated EFT ensure that they make use of such a segmented solution.
There are various connection options with different degrees of security risks when choosing remote access to a store, and it is important that the client takes these risks into account when opting for one connection over another.
Because of the growing threat of cyber attacks, Spinnaker has made available a secure connection option. By using this secure connection at client sites, Spinnaker can add an extra level of authentication through which the store will only allow a remote connection if the connection is authenticated by and originates from a known source, further protecting the client from cyber attacks. At the moment, this option is only available if clients make use of a compatible router.
In light of the above considerations and in summary, Spinnaker's recommendations are as follows:
* Card fraud - if your site makes use of integrated EFT, ensure that the segmented card payment solution is implemented.
* Remote access - if at all possible, make use of an ADSL Internet connection with a recommended router so that remote support can be done via a secure channel.
* Site configuration - limit the number of people who can make changes to your site configuration to those who are truly capable and trusted.