Given this continued climb in the number of digital shoppers, the need for Irish businesses to be remain vigilant online with their security software and systems is as important as ever against the threat of cybercrime and while the 3DS2 protocol has increased online payment security, there are other threats you must be aware of.
3DS2 & Strong Customer Authentication
The 3DS2 protocol reduces the risk of online fraud and makes payments more secure as businesses and their payment provider are submitting additional data in each transaction to the cardholder’s bank (the issuer).
When the bank determines if the cardholder is the actual transactor, with the data matches what the bank requires, the transaction can continue on a “frictionless” flow and will not need user input.
While some transactions will require an extra step with additional authentication from the cardholder to ensure the purchase is genuine, the protocol also allows frictionless processing through use of exemptions with the Strong Customer Authentication (SCA) challenge being bypassed.
If a transaction is enabled with 3DS2, liability from fraudulent transactions lies with the issuer as they deemed this transaction to be legitimate. If a transaction is “not enabled” and is successful, the liability remains with the merchant. However, merchants can also avail of exemption to increase the number of transactions not requiring additional input from the cardholder but this can switch some liability back to them depending on the circumstances.
Check out our FAQ guide on 3DS2 and SCA for an informed overview of how they work to protect your business and customers, while keeping online payments as frictionless as possible.
Protecting your online systems and data
Unauthorised access to your on-line shopping systems can lead to major business disruption, financial losses and reputational damage, including the withdrawal of your payment facility by the card scheme/s and card scheme fines of up to €20 for each individual compromised cardholder account.
Given the very tangible impact an online breach can have on a business’ finances and reputation, online fraud prevention is better and far less costly than seeking cybercrime cures. Below we have highlighted some of the potential threats and preventative measures you can take to keep your online business safe from hackers.
Threat: Weak and not updated passwords pose a cybercrime risk
Weak passwords still remain an easy target for hackers looking to breach online platforms and software. Data and systems should never be protected with passwords that can be guessed easily like family names, favourite sporting teams or musicians.
Obvious number sequences, like 123456, and words made up of letters immediately adjacent to one another on a keyboard still remain popular password options that can leave businesses exposed. Reusing the same password for a multitude of uses and not updating your passwords only heightens vulnerabilities.
Prevention: Make sure staff, devices and operational software use strong and regularly updated passwords.
Ideally passwords should be 12-15 characters long, consisting of a seemingly random collection of uppercase and lowercase letters, numbers and special characters, like punctuation.
These passwords should be changed a minimum of every 30 days with regular reviews to access and permission levels of staff, as well as deleting accounts that are no longer required.
Threat: Ransomware and Malware attacks can cause serious damage
Malware and ransomware (where hackers demand a fee) are on the rise and can bring your business to a halt by preventing access to computer files, systems and networks or the loss / theft and compromise of customer, payment and business data, leading to major business disruption and losses.
Prevention: Run the latest anti-virus / anti-malware software on your eCommerce platform
Along with making sure your anti-virus/ antimalware software is running properly, you should also ensure you or your web-hosting provider have implemented a web application firewall (WAF) or additional intrusion-detection technologies.
The data transferred between your computer and a website’s server should always be encrypted using TLS certificates.
Threat: Delaying the installation of security and software patches
Criminals rely on complacency and delays, so make it a priority to stay up-to-date. You may be exposing your business to an increased risk of intrusion, fraud, financial losses and reputational risk.
Prevention: Make sure the latest software and security patches are installed as soon as they are available
Software and security patches, including ones for your shopping cart, will protect you from online attackers who would otherwise take advantage of system vulnerabilities. If you and not a third party vendor are responsible for updating security patches, it’s recommended to apply updates from trusted network locations (e.g., home, work) and only install links from trusted vendor sites.
Do not trust a link in an email message—attackers have used email messages to direct users to websites hosting malicious files disguised as legitimate updates. Be vigilant with email messages claiming to have a software update file attached—these attachments may contain malware
Threat: False links divert online shoppers to fake payment pages
Fraudsters can steal your revenue by creating fake payment pages and diverting your customers using false links.
Prevention: Review all website links to prevent online fraud
Regular reviewing any links (such as URLs, iFrames, APIs etc.), from your website to the payment gateway to confirm the links have not been altered to redirect customers to unauthorized locations.
Threat: Having your business information available to too many employees and third parties
The risk of fraud from an individual with too much or unnecessary access to your business’ confidential information and /or systems weakens your defences against online fraud. By accident or design, confidential information or access to your system could be shared with malicious parties.
Prevention: Divide out duties, regulate access and implement training
For people managing your IT environment, especially business critical systems / infrastructure, regulating their access depending on what role or task their responsible for can minimise the risk of fraud by any individual and lessens the potential for that person to become a target for fraudsters.
By having minimum level of systems access for the job /duties (‘least privilege principle’) to limit accessibility to confidential information, Should an employee, contractor or third party vendor become compromised, the impact will be more limited as you don’t have all your eggs in any one basket.
Monitoring, tracking and restricting access to sensitive payment data and critical IT systems / infrastructure by ensuring processes, logs and audit trails enhance traceability.
Cybersecurity training will help all staff become aware of the purpose and benefits of this approach as well as supporting them use systems securely and follow defined procedures, Training should also include temporary staff and should make everyone aware of potential security threats and take appropriate action in the event of a suspected breach.
Trusted Third Parties
Online businesses must ensure all of the components and features on their eCommerce website are identified and properly secured or managed by relevant third party providers.
Selecting reputable, trusted third parties to support your eCommerce solution with valid TLS certificates as well as the most current software upgrades and security patches is important in enhancing the security of your eCommerce website and associated software. Making sure the following points below are included in your contract with them help galvanise your business’ online security:
- use the latest version of all software and security patches that meet the latest IT security standards
- ensure your web host provider monitors any attempts or un-authorised changes of your Home Page content and will react immediately if something is detected
- use 2-step verification for remote access by any connected third party