NCSAM: 10 tips for fighting credit card theft and fraudby Steve Ragan - Oct 5 2011, 11:00
3Delta Systems, a Level-3 B2B (business-to-business) credit card processing vendor known for tokenization, has offered up 10 tips on preventing credit card fraud and theft in honor of National Cyber Security Awareness Month.
When payment or credit fraud hits a small business, the damage can be devastating. Criminals have a built-in advantage when it comes to compromising data. They think day and night about how to invent and execute a clever attack, and they gravitate to pathways that offer the least resistance for the greatest payoff.
Payment fraud can also strike close to home. A disgruntled employee with high-level access to internal financial systems and passwords could compromise the security of an entire organization.
“Given the ingenuity of cyber criminals and the sheer volume of electronic business-to-business (B2B) payment transactions, someone - somewhere - will inevitably break through your company's front-end access control and authentication safeguards,” said Aaron Bills, founder and chief operating officer of 3Delta Systems.
“A sound business payment security system shouldn't merely detect intrusions. It should also plan for 'graceful failure' - a strategy that assumes, if one safeguard fails and a perpetrator gains access to one part of your computer network, other countermeasures will be in place to contain the attack, render it less harmful or lock down confidential data so it's worthless to hackers.”
With that said, here are the ten things organizations should get into the habit of doing.
The Best Defense is a Multilayered Offense.
Assume your company’s computer systems will be compromised at some point and plan for it.
Form an Internal SWAT Team.
To prevent a toxic data spill, assemble an internal “hazmat” team that thinks and works strategically to prevent and deter attacks rather than just detect them. Establish policies that address your company’s information security requirements and processes, then share those policies with employees, suppliers and vendors so that everyone understands one another’s goals, requirements and capabilities.
Use Your Head. An alert mind is often the best defense against fraud.
Train administrators and other users of your payment system to keep an eye out for "things that don't belong" – unexpected account usage, for example – and to sound an alert in case of anomalies. Limit employee access to confidential cardholder data, since there's usually very little need for most company personnel to see or handle that data.
Lock Down System Gateways and Endpoints.
Protecting against malicious viruses, malware and spyware infections is often the first line of defense against a security breach. Your network architecture and PCs should be scanned frequently for vulnerabilities, every transaction point where payment information is exchanged should be scrutinized, and all document payment data flows and touch points secured.
Install antivirus and antispyware software from trusted sources and keep them updated with the latest patches. Automatically scan any flash drives or external hardware that connect to your network for viruses or malware. Never turn off your firewall, and have business policies in place for regular firewall maintenance. Use strong passwords and change them routinely.
When deciding on technologies for payment processing, be fluent in privacy protection as well as the 12 credit card protection and compliance requirements under the Payment Card Industry Data Security Standards (PCI DSS).
Stopping cyber crime begins and ends with individual computers and their users. Ensure all employees, contract personnel and business partners know your company’s fraud policies, practices and fraud-response processes.
Adopt Industry Safeguards.
The major U.S. credit card companies developed the PCI standards as guidelines to help merchants, vendors, service providers and banks that collect, process and store credit card data protect it from being stolen or compromised. Becoming PCI-certified doesn't magically shield a business from losing data or provide impenetrable security against hackers or malware. But the standards have proven to be an excellent roadmap for data security best practices.
Don’t Collect What You Can’t Protect.
One of the safest practices for businesses that process credit card data is so obvious it is often overlooked: eliminating the storage of that data altogether. No data stored = less risk. Unless it’s absolutely necessary to retain payment or cardholder data, don’t. Because every point at which credit card data is handled must be secured, conforming with PCI rules as well as building and defending one’s own data fortress can be extraordinarily difficult and prohibitively expensive.
Change the Target.
Tokenization is one of the best strategic weapons for protecting financial data. This process safely replaces a customer’s real 16-digit credit card numbers or bank account data with a randomly generated string of characters called tokens, which then become useless to would-be hackers.
Do Your Outsourcing Homework.
When choosing an outside payment system or data security vendor, make sure they have deep security capabilities and a like-minded business focus. If card-based, check that they’re PCI-compliant, are audited every year by an independent third party and are Tier-1 certified.