opinion

Stay Cozy Under Your Network Security Blanket

Stay Cozy Under Your Network Security Blanket

Everyone can’t be an expert in IT infrastructure and security. I’m thankful to have a team that focuses on security best practices and takes care of those issues for me. While I don’t know every ingredient in their “secret sauce,” I do know that they work quietly in the background, protecting our network from intrusions and data breaches. They’re like a warm, fuzzy blanket keeping us and our merchants safe.

This month, as the cooler weather ushers in what is typically a busier time of year, I want to share some of their knowledge to highlight the measures needed to keep merchants safe and secure all year long.

Keeping data safe is one of the big reasons why locking down your company’s computers is important.

FIGHT BACK ATTACKS

Attacks can happen at any time, so you must always be ready. Remember several years ago, when a group called “Fancy Bear” was bringing down financial institutions with distributed denial of service (DDoS) attacks or bot-like malicious traffic? They were sending out ransom letters requesting Bitcoin payments.

They came after us and several other gateway players in our space. This forced us to investigate solutions to fight back and protect our endpoints, which are ways into a company’s system. There are multiple and highly effective solutions out there to combat this kind of threat. For instance, we have taken advantage of Cloudflare to help hide our IPs, act as a firewall for our web applications and provide other DDoS protection.

We’ve recently added ThreatX to our arsenal as well, which adds redundancy to our security posture while also allowing us to custom-craft traffic rules to ward off the card runners and card cleaners that plague our industry. This same solution can be implemented at the merchant level to alert merchants to a potential DDoS. Having these kinds of tools in place can make a big difference and provide you with an extra layer of security.

LOCK IT DOWN

Keeping data safe is one of the big reasons why locking down your company’s computers is important. Processors like us are registered financial institutions in Europe, so we are regulated much like a large acquirer. This makes it even more important that our data is kept safe. It is important for merchants to protect their data too.

One way to do so is encrypting the hard drives of your company’s computers. With encryption, if someone steals a computer, all the data on it is protected. Another option is using a USB lockdown to help eliminate the possibility of a disgruntled employee downloading sensitive company data and using it somewhere else.

Here’s a tip a lot of people don’t like, but that could be very beneficial: remove admin rights on all company laptops. This prevents employees from downloading apps and software, or clicking through links that could be infected with malware, which could then infect your entire network. Our IT team also suggests implementing and randomizing the local administrator account password on all company machines. That way, even if one machine is compromised, the perpetrator cannot access all the machines. This also mitigates how much harm malware can cause if it discovers the admin password.

Lastly, adding two-factor or multi-factor authentication neutralizes the risks associated with compromised passwords and can help eliminate related security issues.

NO-PHISHING ZONE

Phishing scams can be very creative and convincing. From time to time, I’ve had employees receive spoofed emails purporting to be from me, requesting that they go out and purchase gift cards immediately. For those unfamiliar, spoofing is a type of attack in which the “from” address of an email message is forged. As a preventative measure, our experts suggest implementing an email protection solution such as Proofpoint, which protects against email attacks and provides continuity for businesses in the event of an email outage.

Implementing Domain-based Message Authentication, Reporting and Conformance (DMARC) email authentication protocols will also help prevent email spoofing and phishing. DMARC helps mail administrators prevent hackers and other attackers from spoofing their organization and domain. We’ve seen DMARC minimize these types of attacks.

Another helpful idea is implementing Outlook user submissions. This allows employees to report spam or phishing emails to Microsoft for analysis. If you’re not an Outlook user, there are similar services associated with Gmail and other email providers.

COMPANYWIDE COMPLIANCE

It’s good to get your whole company involved in compliance. Host an event where the heavy lifting of the annual PCI audits and monthly compliance falls on the entire staff, not just the IT team. At Segpay, we all go through annual PCI training. Here are some suggestions to share with your new hires so they get a good start while also keeping company information safe:

  • Lock your computer while you are away from your desk.
  • Use a secure, encrypted solution to store your credentials, such as KeePass or Roboform.
  • Do not store passwords in a spreadsheet, OneNote, Notepad or any other unencrypted format.
  • Do not write passwords down on paper.
  • When sending credentials, separate the username and password and send them on two different mediums. For example, you can send the username via email and the password via Microsoft Teams.
  • Delete the credentials after sending. For example, in Teams and Skype, you can click the three dots to the right of your message and select “delete/remove.”
  • Never provide your password to anyone asking for it.
  • Beware of phishing emails trying to steal your personal information or credentials. If you are not expecting an email from someone and are not sure about it, ask your IT department for assistance.

ONGOING SUPPORT

In addition to these tips, it’s important for your programming team to complete secure coding training each year to keep their certification up to date. It is also a requirement for passing the annual PCI audit. Many banks have joined in and are now requiring that all merchants fill out a PCI self-assessment questionnaire (SAQ). Taking the time to complete an SAQ is helpful because it is a useful tool in making your organization and your program more secure. It doesn’t take long to complete, and it’s a nice tool to have in place, especially since it’s now a requirement for many banks.

Keeping all these security tools up to date can seem like a lot of work, but this work is well worth it. It provides you with confidence, allowing you to relax — under your network security blanket.

Cathy Beardsley is president and CEO of Segpay, a merchant services provider offering a wide range of custom financial solutions including payment facilitator, direct merchant accounts and secure gateway services. Under her direction, Segpay has become one of four companies approved by Visa to operate as a high-risk internet payment services provider. Segpay offers secure turnkey solutions to accept online payments, with a guarantee that funds are kept safe and protected with its proprietary Fraud Mitigation System and customer service and support. For any questions or help, contact sales@segpay.com or compliance@segpay.com.

Related:  

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

Best Practices for Payment Gateway Security

Securing digital payment transactions is critical for all businesses, but especially those in high-risk industries. Payment gateways are a core component of the digital payment ecosystem, and therefore must follow best practices to keep customer data safe.

Jonathan Corona ·
opinion

Ready for New Visa Acquirer Changes?

Next spring, Visa will roll out the U.S. version of its new Visa Acquirer Monitoring Program (VAMP), which goes into effect April 1, 2025. This follows Visa Europe, which rolled out VAMP back in June. VAMP charts a new path for acquirers to manage fraud and chargeback ratios.

Cathy Beardsley ·
opinion

How to Halt Hackers as Fraud Attacks Rise

For hackers, it’s often a game of trial and error. Bad actors will perform enumeration and account testing, repeating the same test on a system to look for vulnerabilities — and if you are not equipped with the proper tools, your merchant account could be the next target.

Cathy Beardsley ·
profile

VerifyMy Seeks to Provide Frictionless Online Safety, Compliance Solutions

Before founding VerifyMy, Ryan Shaw was simply looking for an age verification solution for his previous business. The ones he found, however, were too expensive, too difficult to integrate with, or failed to take into account the needs of either the businesses implementing them or the end users who would be required to interact with them.

Alejandro Freixes ·
opinion

How Adult Website Operators Can Cash in on the 'Interchange' Class Action

The Payment Card Interchange Fee Settlement resulted from a landmark antitrust lawsuit involving Visa, Mastercard and several major banks. The case centered around the interchange fees charged to merchants for processing credit and debit card transactions. These fees are set by card networks and are paid by merchants to the banks that issue the cards.

Jonathan Corona ·
opinion

It's Time to Rock the Vote and Make Your Voice Heard

When I worked to defeat California’s Proposition 60 in 2016, our opposition campaign was outspent nearly 10 to 1. Nevertheless, our community came together and garnered enough support and awareness to defeat that harmful, misguided piece of proposed legislation — by more than a million votes.

Siouxsie Q ·
opinion

Staying Compliant to Avoid the Takedown Shakedown

Dealing with complaints is an everyday part of doing business — and a crucial one, since not dealing with them properly can haunt your business in multiple ways. Card brand regulations require every merchant doing business online to have in place a complaint process for reporting content that may be illegal or that violates the card brand rules.

Cathy Beardsley ·
profile

WIA Profile: Patricia Ucros

Born in Bogota, Colombia, Ucros graduated from college with a degree in education. She spent three years teaching third grade, which she enjoyed a lot, before heeding her father’s advice and moving to South Florida.

Women In Adult ·
opinion

Creating Payment Redundancies to Maximize Payout Uptime

During the global CrowdStrike outage that took place toward the end of July, a flawed software update brought air travel and electronic commerce to a grinding halt worldwide. This dramatically underscores the importance of having a backup plan in place for critical infrastructure.

Jonathan Corona ·
opinion

The Need for Minimal Friction in Age Verification Technology

In the adult sector, robust age assurance, comprised of age verification and age estimation methods, is critical to ensuring legal compliance with ever-evolving regulations, safeguarding minors from inappropriate content and protecting the privacy of adults wishing to view adult content.

Gavin Worrall ·
Show More