Many businesses rely on payment service providers (PSPs) such as PayPal, Google Wallet and Money Bookers. But how safe are they? Hiscox spoke to payment security expert, Shaab Al-Baghdadi to get his top tips for keeping online payment systems secure as part of their complete guide to cyber security.
Tech novices can access sophisticated hacking software now; they can even access helplines on the dark web on how to use 'crimeware.' So business owners must be aware of potential hacking threats when using PSPs, and make sure they follow the correct protocol in protecting themselves.
Beware the 'middleman'
In general, hackers won't try to force entry into sophisticated and complex systems. Instead they'll go for the area of least resistance. This has led to many 'man in the middle' attacks, where a hacker tricks the user into thinking they're using a company's website when they're actually using a fake – and identical – webpage.
This is one relatively simple method used by hackers to harvest card details. While it technically doesn't constitute a breach of security of the PSP's system, it's important to be aware of this kind of activity.
Know who is responsible for breaches
When it comes to a breach of security, it's usually the PSP that would take the responsibility.
But if they can demonstrate that their platform has not been compromised, this usually shifts responsibility either to the card holder for not protecting their details, or the merchant for not following the PSP's terms and conditions.
It's important that businesses using a PSP understand the procedures and policies they must follow and demonstrate they have done this.
Do due diligence.
As a best practice, Al-Baghdadi advises that small businesses undertake due diligence when appointing a PSP. This can be done through a third-party review, using a questionnaire.
SMEs should be asking their PSP what information they collect, how long they keep it for, and what they do with it. This is especially important if they're collecting personal identifiable information (PII), which will fall under the general data protection regulation (GDPR), which is due to come into force in May 2018.
Failure to comply with this regulation – including carrying out due diligence – carries severe penalties of up to 4% of a company's global turnover, which is why it's so important to understand where the liability sits both contractually and in regard to the regulation.
Acting on PSP fraud
If a business owner notices someone has spent money from their PayPal account or other online payment system, they should follow the same process they'd use if an unauthorised transaction happened in their personal bank account. The best thing to do is contact the PSP and see if they can reverse the payment.
SMEs should check their PSP account regularly to see if there are any small payments going out, either on a one-off or regular basis. Criminals will often use this technique to test the payment account is live, then come back for a larger amount. Small payments to charities should be monitored carefully, as these often go unnoticed. In these sort of scams, when larger payments leave the account they appear marginally under £10,000, as this can be missed by the PSP's internal fraud engines.
Review how the account is accessed from internal systems and consider the following questions: which members of staff have access to those systems? How often are the passwords changed? Where are they kept? From where and how the account can be accessed? Those access points should be secure and virus free.
Understand consumers' rights
Consumers are protected under the consumer rights act 2015. They are protected by the rights afforded them by credit card issuers/PSPs when purchasing through these services.
In general, PSPs will side with the consumer in a dispute and it is the merchant's responsibility to prove they've complied with the contract of sale. 'Soft Fraud' – where a consumer claims they never received their goods, for example – is an ever-growing issue. Small businesses must consider the cost of this and take added measures to prove the delivery of goods and services with robust audit trails.
Get the right payment system
This is both a commercial and security decision. Knowing the customer and how they transact should be one of the main factors behind the online payment system a SME chooses.
Do customers require anonymity or the ability to register their card details once for multi-merchant purchases? It helps to ask the PSP directly about their user demographics.
It's also important to research the fees a particular PSP charges, the bandings used to assess these charges and what percentage of each transaction the PSP will take. Identify what the abandonment rate (when consumers decide not to proceed with the transaction) is too, as this will result in lost revenue.