How to Protect E-Commerce Merchant Accounts from Intrusion

There are several weak links in an e-commerce merchant account that are typically targeted by criminals looking to steal card account information. Recognizing where these weak spots are and understanding how to beef up your fraud prevention and data security mechanisms will help keep the bad guys at bay.

Among the favorite targets for cyber criminals looking for credit card data are an e-commerce website’s shopping cart and the payment gateway that connects it to the merchant’s processing bank’s system. Criminals usually attack web-based merchants that use weak or generic passwords. Once they gain access to the merchant account, they start processing fraudulent debit and credit transactions. The fraudulent sales are usually equal or similar in total amount to the deposited credits, so that they offset each other. This is done in an effort to avoid detection by deposit-volume monitoring.

To keep your e-commerce merchant account safe, merchants should apply the following best practices:

• Conduct daily monitoring of authorizations and transactions. In particular, you should check daily for the following:
  • Authorization-only transactions. An unusually high number of authorization-only transactions could indicate that your website is being tested for vulnerability.
  • An unusually high number, average size, or volume of credit transactions. This could be an indication of a fraud.
  • Identical or similar transaction amounts.
  • Transactions that do not include customer identification information.
  • Multiple transactions from the same Internet Protocol (IP) address.
  • Transactions with similar account numbers. Such credit card accounts may have been generated by software for generating fraudulent account numbers (e.g. CreditMaster).
  • Multiple transactions made using a single account within a short period of time. This is a typical sign of fraud where a criminal is attempting to run up as much charges as possible within the limited time he or she has before the stolen account is blocked.
• Monitor your daily batches. In particular:
  • Know what time your transactions settle. Make sure to review your transactions before settlement occurs.
  • If you use the Address Verification Service (AVS) or Card Security Codes (CVV2, CVC 2 and CID), look for transactions submitted without an AVS or a Card Security Code response in the authorization record. You should always use AVS and security code validation, before processing an e-commerce transaction. These tools were created specifically to fight e-commerce fraud and have been proved quite successful.
• Create a strong password for your payment gateway and change it regularly. For best results you should:
  • Use a combination of letters and numbers with a minimum of six characters.
  • Make sure that the log-in ID and password are different.
• Maintain compliance with the requirements of the Payment Card Industry (PCI) Data Security Standards (DSS). PCI DSS are specifically designed to help merchants with their data security management, policies, procedures, network architecture, software design and other protective measures. There are 12 mandatory standards built around several core principles: building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks and maintaining an information security policy.

What else has worked for you in protecting your merchant account from intrusion? Share your experience in the comments below!

Image credit: Bounceenergy.com.