Protect against payment processing cyberthreats

Mike Corbera
President, RevoPay

The statistics do not lie. A quarter of Americans believe that they were victims of cybertheft. This has led many to fear being further exposed to cybertheft, identity theft and personal privacy breaches more than their own personal safety. Because of this, many people are skeptical of payment processing systems. There is no way to be perfectly risk-free, but payment processing, in particular, comes with a few inherent security risks. Many retailers overlook these risks when offering such services. If you want to offer online payment processing, you must take steps to alleviate these risks and to ensure the safety of your customers or tenants.

Your company should take cybersecurity seriously. Identify theft happens to over 15 million people every year with no signs of stopping. Not dealing with the problem can cost you more than just money. Security breaches can ruin your reputation and push away your customers. A recent study noted that over 20 percent – one fifth – of customers would cease doing business with a business targeted by a cyberattack. Talking about security is never enough, but you must understand your risks before you can secure your payment processing solution.

New attacks happen daily. Cyberattacks happen every day. On top of that, the cybersecurity landscape grows more complex with each attack. Cybercriminals constantly invent new attack vectors, forcing cybersecurity professionals to create new protections. Both parties go back and forth, ensuring that you always have some cybersecurity risk. Thus, you need an extensive and robust cybersecurity program in place to cover all your bases.

Be diligent in checking third-party vendor security risks. When your company’s reputation is on the line, you want to ensure your entire network is secure. However, most companies still will overlook a few key components. One of these is the risk vectors that come from your payment processing vendor.

As you process payments, your firm handles lots of sensitive information about your customers/tenants, including documents that can personally identify them as well as the payment transaction. On a good day, you could be handling millions of credit card numbers, social security numbers and other account credentials.

Security breaches can come from even the smallest vulnerability. Recently, an insurance company found itself paying a $5 million settlement because its payment vendor failed to apply a security patch that would have prevented hackers from accessing the customer data.

Thus, you want a processing provider that is as serious about cybersecurity as you are.      Comprehensive cyber risk mitigation requires evaluating the security programs for every vendor that might handle your sensitive information; in particular, your point-of-sale and processing providers. You also should never trust your primary contact to do it for you.

The first thing you should do is ask to see your vendors security certifications. For instance, the Payment Card Industry Security Standards certification ensures that there is adequate protection for sensitive payment card information. Service Organization Control 1 and 2 compliances ensure adequate financial, operations and compliance controls, while NACHA certification secures automated clearinghouse payments.

Other best practices include:

  • Demand proof that your vendors completed several penetration tests and vulnerability scans, including seeing the results.
  • Provide annual security questionnaires to ensure their systems remain as secure as possible.
  • Have an outside specialist perform an on-site security assessment as a condition for doing business, and then ask for a copy of the results.
  • Evaluate the vendor’s business continuity and disaster recovery strategy.

You also should ask your vendors about what cybersecurity investments they made to ensure your data will always be protected and available even during a disaster.

Keep mobile apps secure. More and more people access and pay for their products and services through online portals and mobile apps.

While companies made sure their apps are user-friendly enough to let their customers use their services on the go, these efforts may inadvertently include security vulnerabilities that can lead to security breaches. According to a recent study, the problem is so bad that every mobile app that allows the user to make a payment has security holes.

It does not need to be this way. You can make sure that your app is up to date with best practices concerning encryption, certificates, access management and other cybersecurity features.

Adequate DDoS protection. Everyone knows about distributed denial-of-service attacks. Hackers DDoS a network to bring it offline. Their attacks could be either acts of aggression, sabotage, a distraction for another attack vector, or to use as blackmail against the network owner.

While this cybersecurity risk factor looms for any company with an online presence, many risk professionals may come to accept them as inevitable. Still, there are ways to minimize the effect on your payment system.

For instance, you can use a vendor that hosts its processing network in the cloud. Cloud computing reduces DDoS attacks through resource scaling.

Making the right investment. With today’s increased cybersecurity risks, a lot is riding on the security measures you have in place while processing your customers’ payments. It might feel impossible to deal with every threat, but with the right precautions you can ensure your customers can rest easy knowing that your information remains safe in every transaction.

Featured in CREJ’s January 2019 Property Management Quarterly

Edited by the Colorado Real Estate Journal staff.