The Importance of a Risk Assessment for Merchants

A risk assessment is a dedicated process evaluating the likelihood of a damaging event happening. In the medical environment, it is a statistical calculation of the impact of negative side effects vis-a-vis positive outcomes with medicines or procedures; in the cloud services environment, it is a series of penetration and hacking efforts staged by a white hat service to evaluate the level of vulnerability; and so forth. For merchants processing credit card payments, it is a careful evaluation of the strength of the protections covering key attack vectors, including account creation, credit card data input and transmission, and personally identifiable information (PII) storage and retrieval.

What Risk Merchants Should Assess

Merchants come under the most direct attack from three directions:

1. Customers seeking to use underhanded tactics to get something for free;
2. Identity thieves and hackers using unauthorized or manufactured credit card data to complete deals; and
3. Hackers trying to hack into systems to steal credit card data.

Customers can use the chargeback mechanism (where they demand refunds from the card issuing bank) to gain products and/or services without paying. Identity thieves can use either stolen credit card details, or data that has been generated algorithmically, to close deals for which the merchant cannot later collect payment. And hackers are especially adept at extracting PII for use in later scams and criminal schemes.

How Merchants Can Limit These Risks

There is a broad range of choices merchants can use to protect themselves against fraudulent transactions. Looking at the three primary attack vectors, some of the top options for protection include

Customers

• Transaction limits, which prevent customers from spending uncharacteristically large sums. Merchants can decide an upper bound of what they trust, especially from customers who have not established a purchase track record.
• Volume limits, which limit the number of transactions an individual can close in a given time period. Merchants can decide what is a reasonable volume of transactions before becoming suspicious.

Identity thieves

• Address Verification Service (AVS) reduces the risk of thieves using invented credit card numbers by ensuring the submitted card details match an address stored with the card network.
• Card Verification Value (CVV) reduces the risk of thieves stealing the credit card number but not the card, by ensuring that the secret CVV key is correctly entered.
• In extreme cases 3-D Secure (3DS) can be used to absolutely eliminate the use of stolen cards, as it demands not only all the normal credit card security, but also a separate login to the issuing bank’s account

Hackers

• Firewalls are an absolute must, as are multi-variable logins for all registered and approved users of the servers behind them. They must have their firmware regularly updated, and be replaced at the slightest hint of vulnerability.
• All sensitive data should at least be encrypted, ensuring that stolen information will be found in an unusable format. Note that all encryption/decryption keys should be stored as far removed from the encrypted information as possible - because a hacker with encrypted data and a decryption key now has everything they need.
• For additional security, data should be stored in a third-party vault, with only tokens stored in the merchant’s system - this means that even if a hacker can penetrate the system defenses, they can only acquire meaningless strings, which cannot be decrypted into the underlying cardholder data.

Using Risk Assessments to Validate System Security

A risk assessment should be used to test for vulnerabilities against both known and unknown attack vectors. Risk assessments are not - or at least are not only - event-based activities: assessing and mitigating risks is an ongoing task. Although annual assessments and audits are a standard part of annual compliance procedures, risks should be assessed, if not at all times, then at high frequency.

Payment systems administrators should stay up to speed with the forums and online communities of their peers - zero-hour vulnerabilities are often revealed here long before vendors own up to them. Admins also need to keep an eye on the basics: strong passwords, immediate revocation of permissions to personnel leaving the company, and so forth. Regular scans can be executed across the payment systems (and others than connect with them), and their results should be carefully monitored: what seems a small issue today can become a full-scale crisis tomorrow. Use penetration and attack tests that you can run for yourself frequently - and pay a white hat outside firm to regularly probe your perimeter for weaknesses that may only recently have been discovered by the security community at large.

And don’t forget about the final line of defense: the humans. The MGM hotel and entertainment group lost control of its multi-billion dollar empire in September of 2023, reportedly through phishing attacks that may have tricked employees into sharing their passwords or even plugging infected media into the systems. Logs must be stored, studied and analyzed to identify unusual activity, and personnel must all receive regular training on how not to become the vector that allows criminals through the doors.

Risk Assessments Are the Key to Your Security

However many barriers you put between your business and those who would mistreat it, a day will never come that you are safe from exposure. Regular risk assessments ensure that your defenses are constantly updated to meet emerging threats, and that your business never becomes a lurid news story.