Common Cyber Crimes Facing the Payments Industry

There is little doubt that an Account Data Compromise (ADC) would be detrimental to the operational effectiveness of any business. However, to organised criminal groups it can be an easy way in which to generate funds for criminal gain. In the 21st century, it can be easier for a criminal gang to commit cyber crimes, such as raiding the credit card details of a poorly maintained website, than to raid a high street bank.

The favoured methodology of website hackers is to exploit poorly written and unsecured websites and then seek to locate the credit card information held within. By focusing on weaker websites in this way, and ensuring that the total level of card fraud is not too high, many of the hackers simply take the 'low hanging fruit' and go unnoticed until it is too late.

Often exploiting the same common vulnerability across multiple different hosts, for example an authentication weakness in a popular shopping cart, allows the hacker to simply trawl the Internet for those websites that use that shopping cart to exploit and collect the reward. No organisation wants to fall foul to cyber crimes and therefore in order for them to protect themselves against a potential information security breach, certain steps should be taken to reduce susceptibility to the most common types of breaches.


The unlawful access to a system that is used by a merchant is on the whole in breach of section 1 of the Computer Misuse act and in the real world, stealing of cardholder data is more than likely to be associated with the stealing of PII (Personally Identifiable Information). Therefore, once a data breach has occurred, it can easily escalate from an exercise where the card brands are requesting their card numbers to be returned, to the local law enforcement agency mounting a personal data loss investigation.

Cardholder data breaches, that are the result of cyber crimes, are increasing raising interest within the various law enforcement and data protection agencies around the EU. Although currently each member state takes a different view on how to deal with the consequences of cyber crimes, growing public awareness on the issue could see law enforcement take a heavier, more legal based role in the near future.

Protecting Your Organisation

There are no hard and fast rules to ensure that your website is safe and secure from the persistent threat of cyber crimes. However, there are some actions that organisations can take to help avoid large fines for the misuse and loss of cardholder data. Below are 10 helpful tips for organisations seeking to become more proactive;

1. Get PCI DSS compliant. Look at your merchant agreement with your acquirer, it will state that you need to be PCI DSS compliant;

2. Plan, Plan, Plan - you don't know when the event might happen but an incident response plan and regular testing of this plan will pay dividends in the event of a breach;

3. Suppliers - know who your suppliers are and also what cardholder data they may or may not be processing on your behalf. They will need to be PCI DSS compliant and could easily be your weak point in the protection of cardholder data;

4. PFI Company - if there is a breach, one may be turning up at your door and asking questions that you might not immediately know the answer to. Pre-appointing a PFI and talking to them about what happens in a breach will iron out any potential problems;

5. PR Response - should the worst happen and your businesses' reputation is on the line, have a pre-planned public response; a response prepared beforehand is far better than a response drafted in the heat of the moment;

6. Policy - one of the easiest ways to mitigate the risk that a breach represents is to ensure that policies and procedures are robust enough to reduce the chance of a cardholder breach and also have the flexibility to respond if a breach occurs;

7. Data Protection - the legal and compliance authorities are becoming more interested in ensuring that the cardholder data that merchants process and the personal information they obtain is kept within the realms of the merchant, and does not get into the hands of the hackers. Whilst the card brands could fine an organisation for the miss-use and/or loss of cardholder data, the data protection authorities can also stop a merchant processing cardholder data;

8. Acquisition of evidence - should an external party be required to investigate a breach, a lot of time, energy and effort can be saved by allowing the external investigative party to investigate and acquire the data. The more that the data is tampered with before a forensic investigation is carried out, the less information can be found out about what actually happened;

9. Check your liabilities - ensure that you have the correct contracts; it may be that your 3rd party has provided you with a 'managed' firewall but what does that mean? You may only find out when a hacker has already taken your customer's cardholder information away;

10. Don't Panic -If the worst should happen, act with a clear head and don't make rushed decisions that could affect the outcome at a later stage.

Signing a Yearly Contract With a Host

A web hosting provider has different payment plans and you can make the payment on weekly, monthly, biannually, or on yearly basis. As with most of the other services, the total cost of yearly payment in advance is less than monthly or weekly payment, and so you are tempted to sign up for yearly contract. With increased competition, a yearly agreement secures at least one year's earning for the host. But you should be careful and should do your homework well before signing up such a contract to save a few bucks. A few points that may help you decide to sign for a yearly contract are listed here.

  • A yearly contract is beneficial if your site requires frequent updates in content or in graphics. You feel secure that your site is safely hosted at a server. It helps you focus on updating the sites and on your business without thinking about new hosts and their plans.
  • Read the contract carefully and see if there is a clause of canceling the contract. If your host fails to provide you any promised service, such as - the connection speed is slow, or frequent downtime, you can terminate the contract only if such a clause is there in the contract. However, you will be bound by the contract if you can not cancel it, and that would affect your business.
  • The canceling clause can also involve making some payment for discontinuing with the services. The host may agree to accept some payment and you can settle down on a reasonable amount.
  • Before you sign the contract, show it once to somebody who knows legal aspects of business and is aware of cyber laws. Paying to this person can be a better option rather than signing an enforced contract.

However, a yearly contract gives you an advantage only if your host is reputed and genuine, and has gained positive feedback from market and its existing customers.