An estimated $2.8B USD was lost to online fraud in the U.S. and Canada in 2005
The rate of credit card fraud for online sales is three to four times higher than the overall fraud rate
Authentication is a challenge
Hackers can break into a merchant’s network
Hackers can also steal customer identities
Recorded session attack
Vulnerabilities … … leading to losses
Common Fraud-Related Risks Using stolen information to open new credit cards Issuing unauthorized credits or payments Identity theft Cash theft Accessing a payment network to complete fraud Accessing payment networks Using a stolen credit card to purchase goods and services Product theft Chargebacks A cardholder disputes a credit card purchase
How to Protect Your Business Against Fraud Transaction Level Ensure each transaction you accept and process is valid, and be careful in reviewing suspicious transactions because some may be valid. Account Level Make sure only authorized users have access to your payment gateway account, and be alert for suspicious account access patterns. Network Level Ensure your perimeter is defended against unauthorized access. 1 2 3
Your Disclosure Policy Tells Customers that You Are Honest and Dependable
Business Description – Explains what the company does
Return Policy – Provides clear guidelines on how a return is handled
Contact Information – Makes it easy for customers to get in touch with the merchant via different communication channels
Security basics “must do” list Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security
Control Objective Requirement Build and Maintain a Secure Network
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Payment Gateway Implementation over SSL Refer to the attached PDF “ Payment Gateway Implementation.pdf”
What to ask in third payment gateways parties ?
How long has this company been in service ?
What is the company history ?
How long has their particular software package been in use ?
Can you test a demo software ?
How much will the setup and service bundle cost ?
How much are processing costs and fees ?
Does the system needs special installation equipments ?
Does the system provides extra services ?
What is the level of support provided by this third party ?
Who are the customers that already exist and uses this system ?
What are provided system authentication and authorization ?
An example of applying to a payment gateway (WorldPay) Refer to the attached PPS “ worldpay application.pps”