Payment Security Threats Are A Real Issue For Modern Business
Security threats when taking payments remotely is a real issue for today’s retail and service providers, these threats are a major factor in costly data breaches. According to Carbon Black, up to 88% of UK based companies have experienced data breaches in the last 12 months, which has led to an average of £2.92 million per breach in costs for UK firms.
Understanding threats and how to minimise them is the best way to avoid becoming a victim of fraudulent breaches.
Below we have highlighted the top 5 security threats when taking payments remotely.
1. CNP Fraud – Card Not Present Transactions
In the UK, Card Not Present fraud accounted for £470.2 million in 2019 and it equates to around 76% of the total value of card fraud. Therefore, based on these statistics, it is clearly the biggest threat when taking payments remotely. But what exactly causes it to happen?
Card not present fraud (CNP) is a type of fraud that is made via online transactions, telephone, or mail. It is a mode of payment in situations where the physical card is not presented to the point-of-sale individual for a visual check. Typically, this type of fraud happens after a payment card, or the information contained on the card has been stolen or purchased on the dark web.
2. Fraudulent Agents
This type of fraud is often driven by agents who are incentivised or intimidated into passing on sensitive information to organised crime groups. Monetised theft of data is a growing problem, where criminals sell the data on places like the dark web rather than use it directly themselves. The transfer of card data is becoming easier and easier and with it comes the continued growth of stolen payment card information.
The risk from fraudulent or rogue agents is apparent from both current and ex-employees, who have been fired or left a company. Using an example from the US, the FBI attributes 90% of all fraud crimes to be committed by internal employees. This is because the employees have access to an incredible amount of data. If an employee becomes disgruntled, they may choose to exploit their access for malicious reasons, or alternatively, if an employee is about to be let go, they may become complacent and reduce the level of security in their final days at the company.
3. IT Security Updates
Weaknesses in payment systems can occur when the latest security patches and updates are not applied. In addition to simply updating, it is important that IT teams are testing the card payment environment to make sure that there are no new failings caused by conflicts between different applications.
Attackers of data are likely to take advantage of software and applied technology within a company. This is why it is imperative that businesses stay up to date with software patches to close potential security flaws and backdoors.
Implementing a security program should address the need for staying up to date, and this should include a regular scan of internal applications in order to keep the security level high. Unfortunately, many people view the process of updating applications as a tedious and hindering task or simply do not have the time or budget available. This can often lead to essential maintenance being delayed, by which time it is possible fraudsters have taken advantage of a weakness in the system.
4. Audible Phone Security
This applies to when a customer reads out their card details, something we have all done when making a payment by phone. But have we considered our surroundings when doing this, is it secure? It’s important to be aware that someone could be around who would readily copy this sensitive information to use themselves or sell online. There is also a problem with how the payment is being taken on the agent’s side, is this secure as well? For example, if paying over the phone, if the person reads back the number to you to make sure it is correct, someone else could overhear your card details. While this can be limited in a secured environment of a call centre, would it be the same on a shop floor of a furniture retailer or even when calling for a favourite local takeaway?
Some businesses will use a method called ‘Pause and Resume’ where the phone line will be paused while you enter your card details. This means that nobody can hear or access a recording of your payment details and therefore this reduces the risk of fraud. However, while Pause & Resume is reasonably easy to implement, when used alone it will not make you PCI DSS compliant. The Pause & Resume method does stop the sensitive data from being heard or recorded, it does not secure the data and can be unreliable. For example, if the agent is required to manually pause the recording this is not PCI DSS compliant, and if the automated system mistimes the pause or resume it will immediately breach PCI DSS compliance.
5. Compliance Complexity
Compliance requirements are constantly changing, and therefore it is becoming more difficult for businesses to make sure that they are being fully compliant over time. This can lead to businesses constantly needing to make changes, and constant changes can easily lead to loopholes and cracks being formed in the processes currently being run.
Compliance has become even more difficult now that many businesses are moving towards a hybrid working environment, which opens potential weaknesses in fraud compliance frameworks when agents can be off-site such as homeworking.
The management of PCI DSS compliance for a business and its payment processing systems can potentially seem more complex and daunting than it needs to be. Fortunately, PayGuard®’s technology can resolve the headaches of implementing and keeping on top of regulations. Even helping your business to take payments all the way to Level 1 in PCI Compliance. By implementing PayGuard®’s technology, it significantly reduces the scope for fraud and data breaches, as well as helps protect your staff.
You can find out more on how PayGuard® works here, or contact us for a no obligation chat below…
Want To Know More
We are friendly people and experts in payments, so feel free to get in touch and have a no obligation chat about your situation.