Safeguard Your Gold Mine From Cyber Theft

Identity theft is one of the fastest-growing crimes in America, affecting hundreds of thousands of consumers every year. As an online merchant, you’re more susceptible than ever to being an unwitting accomplice to this crime by becoming the target of spoofing: a practice in which fraudsters emulate your Web site or e-mail, or otherwise represent themselves as your company.

Moreover, by inadequately protecting your customers’ personally identifiable information (PII) and credit card numbers from cyber-thieves, you may be unknowingly contributing to the alarming rise in consumer identity theft in this country.

In the following article, I’ll focus on ways you can reduce your chances of being spoofed and improve your data-protection practices.

Your Database is a Treasured Commodity

As noted above, using copycat Web sites and bogus e-mail links comprise the latest methods criminals are using to gain access to credit card numbers and other PII of your customers.

Even mega-merchants aren’t immune to such scams. Last summer, Best Buy’s customers were e-mailed about a supposed security breach and asked to give vital PII, including credit card information and social security numbers. The information was captured by the fraudsters after Best Buy customers were redirected to a phony, look-alike Web site.

As an online merchant, your customer database is a virtual gold mine to online criminals — supplying them with passwords, credit card numbers and other consumer PII. Credit card numbers and data are, in fact, available for actual sale by cyber-thieves on the Internet.

As a merchant, you have the means to protect yourself against compromises to your corporate identity, as well as the ability to safeguard your customers against online fraudulent transactions. The necessary steps involve implementing tools to combat fraud and utilizing some best business practices.

Follow These Guidelines

1. Visa’s Cardholder Information Security Program (CISP) is a good place to begin. CISP’s goal is to help regulate the security of Web sites and to protect cardholder information from being compromised.

In addition to best practices, Visa eventually will audit Internet merchants, gateways and acquirers to ensure compliance. It’s important to note here that non-compliant merchants most likely will face fines.

CISP’s security recommendations are as follows:
> To protect your catalog’s data that’s accessible via the Internet, install and maintain a working network firewall.
> Keep your company’s security patches up to date.
> Encrypt both your stored data that’s accessible from the Internet and data sent across public networks.
> Utilize and regularly update your anti-virus software.
> Restrict access to company data only to those who absolutely must have it.
> Assign a unique identification password to each person who has computer access to your data; then instruct your IT department to keep careful logs on who comes in and out of those data storehouses.
> Avoid using vendor-supplied defaults for system passwords and other security parameters.
> Regularly test your IT department’s security systems and processes.

Visa offers two additional guidelines that address administrative and physical security issues:

> Develop and maintain a strict policy that addresses information security for employees and contractors.

> Restrict the physical access to your customers’ credit card information.

2. Look for a credit card processor that conforms to standards set by the Office of the Comptroller of the Currency (OCC). The OCC regulates the banking industry by conducting frequent audits and enforcing standards that keep banks on the cutting-edge of fraud-avoidance technology and best practices. This means a credit card processor that’s part of a bank must conform to the most recent fraud-prevention practices.

3. Employ verification methods for receiving payment information from customers. Such information must be stored in databases correctly to ensure that it isn’t useful to fraudsters.
> The Card Verification Method (CVM) involves getting from the customer the three- or four-digit number printed on the credit card by the issuer. Employing CVM helps ensure that the user has the credit card in hand when making a purchase.

Merchants are not supposed to store CVM codes in their databases, but they do. This year, in fact, a compromised merchant’s database was posted on the Internet containing CVM codes.
> The Address Verification System (AVS) supported by a bank links address codes to ZIP codes, reducing fraud rates by as much as 4 percent.

4. Instruct your contact center reps who take billing information from consumers to do the following:
> Don’t use the phrase “billing address.” Rather, use the phrase “credit card billing address.” Why? When using AVS, the credit card billing address is the address that’s verified. Therefore, you want to be sure this is the address being captured in the database.
> Verify in your integration that the customer’s street address and ZIP code fields are mapped correctly to your payment software. Again, this relates to AVS. Ensure that any address information you’re submitting with payment data is the information that’s being verified. Moreover, be sure the address fields in your payment database map correctly to the acquirers’ — and in turn, processors’ — specifications for AVS.

5. And in your contact center software:
> Use separate fields for city, state and ZIP. If this information is captured in one field, most likely it must be parsed for the acquirer and processor.
> Ensure when the country is the United States that the ZIP code field accepts only a five-digit numeric value. For ZIP +4, have a second field for the +4.

6. Maintain an up-to-date firewall. A firewall is a piece of software that monitors all incoming network traffic and allows in only the connections that are known and trusted. Advanced firewall software also monitors outgoing traffic, which is crucial since malicious code spreads by accessing the Internet and pushing copies of itself to other computers.

Without a firewall, your catalog’s computer system is operating in an “open-door” manner. Bank-account information, passwords and credit card numbers are all available to fraudsters who can get in and take what they want. They may even leave open a “back door” to turn your computer into a “zombie” and use it to attack other computers.

In short, you must continually update your company’s firewalls to stay ahead.

Conclusion

With the growing sophistication and ever-changing tactics of online criminals, there’s no magic bullet to protect your company against all cyber-crimes. Today’s best-practice approach to fraud prevention is based on a combination of good authentication principles and consumer education, combined with an arsenal of automated fraud-screening techniques that maximize the efficiency of the order-verification process.

Paul Garcia is vice president of risk management for First National Merchant Solutions, a payment processing company with 50 years of experience specializing in proprietary products and services for merchants. Garcia wrote this article at the request of the Catalog Success editors. He can be reached at (402) 633-1851, or by e-mail at: pgarcia@fnni.com.