We talk a lot here about the small business owner and the importance of payment card industry data security standards (PCI DSS) even though they often don’t have large and complex database networks. Any merchant at any time may be targeted by a criminal bent on stealing and using or selling sensitive authentication data in their possession. But becoming PCI compliant doesn’t mean you can rest on your laurels. Maintaining you PCI compliance is an inexact science that has to be modified to conform to the needs of your particular business. Just doing the bare PCI compliance minimum to meet industry requirements, while certainly better than nothing, doesn’t mean you don’t have to remain vigilant.
Those merchants that do high credit card processing volume on a large scale typically have no choice but to use networked computer systems to facilitate the running of the business. A rule of thumb with regard to system integrity is that the most complex are by nature also the most unstable. Products or services available on the internet that offer customers the convenience of paying by credit card are commonplace these days, and provide a vast hunting ground for computer criminals. Lately industry partners have noted the rise of a classic fraud method in which the hacker takes advantage of weak online sign in credentials to access accounts and perform fraudulent credit card transactions.
A few cases recently reported indicate that cyber thieves use phishing and other fraud techniques to search for merchants with weak authentication requirements and get access to their online accounts for their processing service. After the merchants’ login credentials and passwords were compromised, the thieves send fraudulent credit (refund) transactions to debit (a.k.a. check cards which are connected to the cardholder’s checking account balance) cards setup by criminal cohorts. The amounts were commonly in the thousands of dollars per transaction.
To the merchant, these credit transactions appear as refunds to customers’ cards, rendering them more difficult to detect or delaying their detection. Next week, more on this and some tips to reduce your exposure. See our homepage for information about how your business can be PCI compliant. Best of all, it’s free!