The Top Ways Your Gateway Could Become Compromised (And How You Can Protect Yourself)

The ugly truth is every business that accepts payments via credit, debit card, or ACH is the potential target for a data breach. It is one of the most stressful situations to find yourself in and can lead to a damaged reputation on top of financial repercussions. The key to security is multiple layers of defenses; this layered approach is critical today and incorporates your employees, bank, etc.

Cybercriminals are lurking and watching for weaknesses in your defenses. Below we will discuss these malicious actors, their motivations, your risks as a business, conventional strategies of attack, and the tools, policies, and features at your disposal. With this additional knowledge, we hope you may build or enhance your multi-layer defensive strategies.

Motivation: Why are they targeting businesses like yours?

The primary motivation for these malicious entities to target your business is simple, Money. They are looking for a means to make the most illicit gains, as easily and quickly as possible.

Fraudulent strategies take several forms. The most common focus is scrubbing lists of compromised card numbers to identify ones that remain active/viable, utilizing stolen cards to purchase tangible goods that are then resold on secondary markets. Businesses are targeted to compromise their points of purchase to steal card numbers and build new lists of card numbers.

Your risks: How do these strategies work? How might they harm your business?

Fraudulent Purchases:

Traditionally, this strategy follows a pattern. A fraudulent entity makes contact with your business wishing to purchase some tangible products or materials. Once they have succeeded in having their order created, they utilize a previously compromised payment card to "pay" for these items and arrange shipping or pickup.

Typically, these entities will opt for the fastest delivery method, regardless of potential costs, as they intend to gain possession of the goods before their stolen card information is discovered.

Once they have received the products, they will immediately transfer them to unknown locations and resell them into secondary markets.

If your business falls victim to this form of attack, you won't know until days or weeks after the materials have left your door. You'll often receive a notice that the card used has been charged back and the funds debited back out of your company bank account. In these cases, you have lost the funds and the hard costs associated with purchasing those products from your suppliers.

Fraudulent orders are usually either for large quantities of products or for high dollar items, often resulting in businesses that fall victim to losing $10,000 or more.

Scrubbing Lists Of Compromised Cards: It seems a data breach makes the news cycle every month or so, and for every massive breach we hear about, hundreds of other smaller-scale compromises occur.

This myriad of ongoing breaches leads to tens of thousands of card numbers being stolen, bought, and sold on the dark web every day. But a list of compromised cards on its own has only limited value. This is because those entities buying and selling this list know that often a vast majority of cards on an unverified list have already been invalidated and will not work for new transactions.

If a malicious actor can winnow that list down to only those cards that remain active, this new list grows in value many times. It can be immediately resold at a profit or used in a second phase to complete fraudulent purchases/charges.

The best way to determine if a stolen card number is still active is to submit a transaction using that card and look at the result. If successful, then the fraudulent entity knows that card is still valid and valuable.

But, submitting these transactions must be done via a valid credit card processing account, and doing so incurs a communication fee. When attempting transactions to determine the validity of thousands of cards, these fees add up quickly. Furthermore, running thousands of transactions in a short time, the bulk of which are declined, will often lead to the processing banks flagging the credit card processing account and suspending it's access to the processing networks.

These two factors explain why the malicious actors are looking to break through your walls and access your processing accounts. They don't want to pay the fees or risk having the accounts they use in their scam shut down.

Suppose they do manage to compromise your processing systems. In that case, they may then execute their scheme, and your business is stuck staring down the resulting fees and operational interruptions as a consequence.

So what might this look like in dollars and cents? For the sake of example, let's run a realistic, round number scenario below and find out.

Say one of these fraudulent actors finds a hole in your defenses and sets up a means by which they run a list of 10,000 cards through your processing account in hours/days. Depending on the specifics of the cards used, each attempt will likely result in your account being charged total transaction/communication fees of somewhere between $0.15 & $0.35. For the sake of this example, we will use $0.25 as the average fee your business incurs. As a result of this one failure in your defenses, your business is now looking at a bill of $2500. Additional expenses are likely as a result of an interruption to your ability to process legitimate transactions and the work involved with correcting and dealing with the fallout of the attack.

Compromising Point Of Payment Systems: This type of attack is used by those committing cybercrime to compromise valid cards in circulation and create new lists of card numbers for sale and use in schemes like those described above.

A successful attack often relies upon weakness and lack of vigilance on the part of businesses keeping their electronic payments systems up to date. There are many ways weakness can occur.

The Purchase Card Industry Data Security Standards (PCI-DSS) was created so businesses can measure themselves and their systems to ensure they are implementing the necessary security protocols to protect themselves from being a victim of this type of attack.

You can learn much more about the PCI standards, how they affect your business, and find valuable resources directly from the organization in charge of maintaining these standards, here.

Suppose you do fall victim to a breach of your payment systems. In that case, it represents a risk to your business's reputation and a potential loss of clients/sales. Still, it may also result in significant financial loss due to fines, penalties, legal fees, and other costs.

The Enemy Is On The March and Looking For Weakness

Social Engineering:

The term "Social Engineering" refers to a strategy by which cybercriminals don't directly attack your software or hardware systems, but instead target your workforce. They may have access to the capabilities they wish to take advantage of.

This type of attack often relies on using your team's emotions and habits against them and is one of the most effective weapons in a cybercriminals arsenal. This is because, somewhere in your organization, at least one person has access to your ordering, payment, or security systems.

payment security is important for your gateway, learn more about how to protect your business

One example might be a malicious entity contacting a member of your sales team so the criminal may place an order for a dozen laptop computers, which need to be overnight shipped to a remote office. Everyone has been instructed they will be working from home effective in two days.

These techniques are powerful and too easy to fall for if inexperienced. Teaching your team how to avoid this well-laid trap will help you prevent a data breach.

Unprotected Online Payment Tools: If your business employs an online product marketplace that allows customers to select, pay, and have items shipped to them or offer simple electronic payment of outstanding bills, these features may put you at risk if not implemented with proper security in mind.

An online marketplace that fulfills and ships client orders without oversight controls the amount of each order or number of items that can be purchased, elevates your risk of being the victim of fraudulent purchases.

A bill pay form which allows individuals to enter their card details and run a transaction, without first verifying their identity or knowledge of the specifics of their account with your business, is an unprotected target for a card scrubbing attack.

Compromise Of Payment System Login Credentials: If criminals gain access to your payment systems' account credentials, they could hijack your processing account and increase their list of stolen credit cards.

As mentioned in the example above, even a relatively small list of 10,000 cards can easily result in $2500 or more fraudulent transaction fees for your business.

Outdated Hardware And Software: When the systems used to accept payment from customers are not maintained and updated regularly, they may open you to an attack designed to compromise the cards used by your customers and allow cybercriminals to generate new lists for sale and use across their criminal enterprises.

These updates and maintenance cycles are critical considerations for your payment software, the computers and networks through which the software communicates, and even the point of purchase devices designed to interact with the customer's payment card.

What Defense Options Do I Have?

Your team is both your greatest security asset and liability.

Your team is the first line of defense that must remain vigilant to external and internal threats to the business. A touch of paranoia or suspicion is necessary for this day and age for every member of your team to maintain a state of constant vigilance.

Thus, it is important to give guidance and training to every team member on the threats they face, like suspicious urgency or out-of-character email requests. Not only these, and others mentioned above, but many more. Further, this training must not be a one-time occurrence, but something reinforced regularly.

In addition to regular training, supporting your team members to follow strict operational security policies is another vital component to assuring their success and the strength of your defenses. A couple of examples include:



Physical Acceptance Devices

Need help with gateway security?

This guide is meant to help you address any potential weak points within your business, but it's only the beginning. If you want to implement any of these additional security features in your business and develop a dedicated multi-layer security approach, reach out to our support team with any questions @ [email protected].

Should I Be Using a Payment Gateway or a Virtual Terminal?

Selecting the right payment processing solution can be confusing. One of the most common misconceptions is understanding what the difference is between a payment gateway and a virtual terminal.

Aren’t they the same thing? Well no, but for your business to accept online payments with ease, you’re going to want a payment gateway.

So let’s talk about payment gateways, virtual terminals, and what they do for your business.

What they do

The best way to explain what they do for your business is to define what each of them does.

Virtual terminal

A virtual terminal is an internet-based facilitator of electronic payments. It allows you to key in and process transactions using any computer (or smart device) with an internet connection.

In practice, this involves logging into a secured page on a standard browser and using a built-in menu to process payments. It’s similar to a physical card reader, except all the data is typed into the page instead of swiping the card or reading the card’s chip.

Payment gateway

A payment gateway works to route transactions from your virtual terminal to the processor and verifies the transactions for authenticity.

The payment gateway is integrated into your website, typically used with a shopping cart and checkout solution. A payment gateway without a virtual terminal can also capture and process transactions, but it only will work from the customer’s end through your website. The virtual terminal is what enables you to go in and process a transaction as a merchant.

Now that you understand what each solution does respectively, you can see why you would need them both. You need a payment gateway to process the payments you take on your website. You also need the virtual terminal to take payments on your website, especially if you are running an E-Commerce site.

You may find that payments aren’t always obtained via an online shopping cart and checkout solution, so a virtual terminal would be preferred for other methods (like mobile, over the phone, and even in-person).

Struggling to accept online payments or your E-Commerce site?

Contact us, and we’ll be happy to determine the best solution for your online business.

What to Look for in a Payment Gateway Provider

The future is bright for online stores! Technology keeps evolving rapidly, making it easier than ever to open your own business and sell products online as an E-Commerce store. Using a payment gateway to service your online store is essential, but choosing a provider is sometimes tricky.

A payment gateway is a system that transmits secure credit, debit and ACH information across the Internet from the merchant to their credit card processing company. Online payment gateways can be used in many different ways.

Often times payment gateways seem like they are only designed to offer you the bare minimum service of running transactions online for you. However, there are more advanced features you should look for when shopping for a payment gateway provider.

Good service.

When your E-Commerce site is struggling to take payments, your business is helpless. Unlike a brick-and-mortar store, you can’t accept cash or a paper check. You want a service provider who will call you back and get your gateway up and running.

Accounting software integration.

Do you use QuickBooks accounting software for your business? Some payment gateway providers don’t integrate with QuickBooks, or other accounting softwares, meaning you’ll have to do manual data entry. Look for a payment gateway that will integrate with your accounting software, saving you the extra time spent on manual data entry.

Electronic invoicing.

Electronic invoicing enables merchants to invoice customers via email, and allows customers to make a payment by following an embedded link to their payment gateway provider.

Not all providers do this. So be sure to ask about electronic invoicing when selecting a payment gateway provider.

Looking for a solution?

Are you looking for a payment gateway provider that does all the points listed above? We were too when we first started, so we developed our own.

The BNG Payment Gateway is an online payments processing gateway custom built for BNG Holdings, Inc. It has features and functionality that are years ahead of competing gateways.

The BNG Payment Gateway can be used in almost any type of business. It integrates into third party software applications and E-Commerce shopping carts. By utilizing BNG Swipe Software, merchants can accept credit cards in person as well as online.

One key advantage of the BNG Payment Gateway, is that it allows merchants to use one tool(need better word?) to process multiple payment methods.

All of the transaction information for these different payment methods are all searchable and reportable in one place, in real time, which makes reconciling transactions easy and convenient.

Want to take payments smarter?

Read about the success these merchants had with their credit card processing.