For most merchants, “busy” seems to be a colloquial term for “business owner.” It’s no wonder, then, why merchants aren’t keeping up with the latest happenings in merchant account security. Cyberattacks are a big risk for merchants of all sizes, and it’s estimated that cybercrime is up 600% as a result of COVID-19. This has led to the widespread adoption of new tools and solutions by merchant providers and suppliers to keep up with evolving security threats.
The good news is that merchants have access to a wide array of security options that will provide peace of mind. The bad news is that not all merchants are aware of the advances in cybersecurity, and they might unknowingly be left behind by their providers. This is especially the case with gateways. Your gateway account is constantly updated with new security features that will protect your business and customers. Sounds great, doesn’t it? Unfortunately, if you set up your account before these features were released, there’s a strong chance you aren’t automatically enrolled. Merchant gateway accounts aren’t usually grandfathered into security enhancements, so it’s crucial to check your administrative areas and manually enable every helpful security feature your supplier provides you.
Only due diligence will guarantee you’re up to date and utilizing every security feature your suppliers have to offer. We recommend that our merchants incorporate an “end of the year cleaning” mentality for their merchant accounts, where they perform an annual check-in for their admin areas to see if there are any new features available that were missed. Not all enhancements are free, but if it’s been more than a couple of months since you last checked your available merchant account features, you might be missing out on valuable improvements to your company’s online security.
Many suppliers offer software with enhanced fraud prevention at an additional cost. Software offerings include tools that can filter through the noise and pinpoint fraudulent activity, as well as automate many industry-standard tasks that merchants should perform to maintain a high level of security. If you can afford to pay for additional security offerings, proprietary software from your gateway or payment processor can be a good alternative to management and manual upkeep.
However, not all merchants have the luxury to pay for security services. This poses the question: “Do merchants need to spend money to protect themselves?”. The short answer is “no”, but the long answer is “it depends how much time you’re willing to invest to compensate for not spending money.” Many paywalled tools and security features are valuable because they’re convenient. They automate tedious tasks that require monitoring to maintain high-security standards. Paid fraud prevention software often has an intuitive interface that offers one-click filters and reporting that can be customized to your business needs. Even still, paying for your security isn’t a necessity. If you take the necessary precautions and actively work to protect your account and customers, you can secure your account without spending money.
Merchants have access to a range of industry-standard fraud prevention tools that are built into their software and are available for free. Some of the features below are automatically baked into your packages, while others aren’t tools or features, but actions you can take in place of paid features. By adhering to the following account protection techniques, you’ll set yourself up nicely for a safe and secure 2022 without breaking the bank.
The Address Verification Service (AVS) fights fraud by verifying that the billing address provided by the customer matches the billing address stored by the customer’s credit card issuer. If the billing addresses don’t match, the transaction is flagged and canceled. This service is built into most software offerings and is industry standard.
Card code verification (CCV) is a three or four-digit code that’s printed on credit cards and not digitally cached. When a customer enters their credit card information with the card code, CCV will compare the code with what the customer’s bank has on file. CCV adds an extra layer of security because the only individual who can access the card code is the one that has the physical card in their possession. Similar to AVS, this service is industry standard and comes with most software.
Adhering to the Payment Card Industry (PCI) Data Security Standard is one of the most efficient and effective ways to prevent credit card fraud. If your business processes credit cards and isn’t PCI compliant, achieving compliance should be a top priority and the first action you take as you bolster your security. Compliance will give your customers peace of mind, but staying compliant is an ongoing process. Failure to adhere to PCI guidelines will leave your business vulnerable, even if you achieved compliance previously.
Although PCI compliance isn’t baked into your payment software, you can still become compliant for little to no cost. If you’re confident in the compliance process, you can complete it independently. Otherwise, merchant service providers like Evolve Payment can expedite PCI compliance and make it a seamless process for you.
If a customer has an abnormally high number of transactions in a short period of time, or the transaction amount is unusually high, then red flags should be raised. Fraudsters typically flood accounts with transactions in an attempt to find the right name and number combination for cards. The rate at which transactions occur is referred to as Velocity, and many suppliers have automated Amount Filters and Velocity Filters for convenience and consistency. However, these filters are rarely free.
Merchants can monitor transactions themselves and make judgment calls as an alternative to paying for a service. If you see a customer’s name show up in your payment history repeatedly and with different credit card numbers, it’s worth looking into the legitimacy of this transaction. Similarly, if you notice transactions that are unusually large for the goods or services you’re selling, you might want to ask some questions about the payment.
Cybersecurity is constantly evolving. Upkeep and due diligence will significantly reduce the odds of an attack or breach, but nothing is foolproof. Every merchant should have a contingency plan in case they’re compromised, regardless of how protected they think they are. By planning ahead, you’ll have added peace of mind knowing that any major damage from future cyberattacks will be mitigated.
If your beloved pet accidentally eats poison, the last thing you’ll want to do is spend precious minutes looking for the number to Poison Control. The same concept applies to cybersecurity. Every second counts after a breach and every merchant should have an accessible list of emergency contacts in case one occurs. Important numbers to have accessible include the number to your processor, gateway, bank, merchant services provider, and cybersecurity insurer, if applicable.
Having a good relationship with your merchant services provider will ensure a quick response because your provider understands your business and how to best help. If you become a victim of a cyberattack, not all hope is lost. Oftentimes, a poor response to a breach is the coup de grâce for merchants, not the breach itself. Because of this, reacting to a cyberattack by getting proper advice from educated professionals in the industry is just as important as proactively protecting yourself from one in the future.
Cybersecurity insurance, also known as cyber liability insurance or cyber insurance by some, works in similar ways to traditional insurance offerings. Merchants can pay a monthly or quarterly fee to offset some of the potential financial damages from a cyberattack. Cyber insurance will provide financial support for remediation and investigators after an attack so the financial damages to a company are limited, but most insurance policies won’t cover breaches caused by “negligence” on behalf of the merchant. This includes failure by the merchant to address a known vulnerability and attacks that were caused by employees. Cyber insurance also doesn’t often cover costs associated with improving your security systems.
Because of this, cyber insurance isn’t a catch-all solution, and should only be used as a supplement to a well-thought-out security program. CyberFin, a cybersecurity technology firm, expands upon this by stressing the importance of hands-on prevention by the merchant: “The more you understand about cyber threats and how they work the better you will be able to protect you and your business. Remember the best defense will always begin with you.”
If you’re interested in learning more about how you can protect your business and customers or would like help with managing your account security online, the Evolve Payment team has the knowledge and resources to connect you with the right tools and set you up for a safe 2022. We are experts in PCI compliance and can act as your advisors as you manage your merchant tools to ensure you’re getting the most out of your merchant partnerships. Reach out to us today and get a head start on cyber security.