The ability to accept online payments for goods and services is generally considered a good idea for businesses of all sizes, allowing transactions to take place when the buyer is not physically present. Obvious benefits include convenience, the ability to purchase from any Internet-ready device, and no requirement to travel to the store, which translates to increased profits and the potential to attract clients from other locations, whether national or international.
Unfortunately, as with any use of technology there are always risks to consider when financial data is shared, whether you decide to use a merchant account, payment gateway or a combination. Loss of such data has serious implications for companies, leading to an impact on reputation, fines for lack of compliance and even bankruptcy in some cases.
According to a recent survey from PricewaterhouseCoopers LLP, cyber crime is now the second most reported economic crime, with more than one third of the 6,300-plus respondents indicating they were victims of cyber crime in the last 24 months. In first place for 2016 is asset misappropriation, which includes accounting fraud, reflecting 62% of reported incidents.
In technical terms, these problems are easily detected. What is more worrying is the rise in cyber crime figures, with only 37% of polled organizations having any sort of cyber incident response plan.
How can companies identify risks in their IT infrastructure and protect themselves and their customers from cyber criminals?
Identify your Risks and Weaknesses
Your company size or industry is of little importance, but the data you hold is of considerable value to hackers. For any company that processes credit card information, it is necessary to clearly understand how customers pay for goods or services.
When a transaction is processed where is data stored?
In most cases, the transaction will take place in a remote data center in the cloud and no financial data is stored on your servers. This is probably the best method, with PayPal just one leading payment gateway that uses a hybrid cloud in its operations. However, if your transactions take place on your own website, PayPal transaction or not, some information is stored on your Web server before data transmission takes place. If you use proprietary or customized shopping carts you will also need to know the communication path involved.
Is data encrypted?
Companies need to ensure that all financial data is encrypted at all stages of the purchasing processes, regardless of the payment solution selected.
How about PCI-DSS?
Secure websites are considered the norm and are easily identified in internet browsers by ‘https://’ designation or by the ‘lock’ symbol’. Ongoing compliance with the PCI-DSS standard is essential and mandatory for providers of financial services. Company decision makers should make themselves familiar with all aspects of this standard, and becoming compliant is an easy way to assure customer of company legitimacy and security awareness. Industry practice is to ensure that all companies, service partners and cloud service providers are PCI-DSS compliant, to ensure that all confidential data remains encrypted during its journey from buyer to payment provider.
Part and parcel of enhancing your security posture is identifying the level of training necessary for three levels of employee, namely general staff members, middle management and senior executives or IT experts. Your exact requirements are determined by the value of the data you hold and the payment methods employed. If you consciously decide not to store financial data on your own servers, then security concerns are the responsibility of your service provider. Ensure your selected service providers are all PCI-DSS compliant and meet other security expectations.
However, even if financial data is of little concern, other data is present and you will need IT security experts to make life difficult for cyber criminals and of course to detect breaches and ensure ongoing compliance with applicable security standards and guidance materials, which could include, in addition to PCI-DSS some or all of the following:
- HIPAA for companies in the healthcare sector
- ISO 27002
- ISO 27001
- COBIT 5
IT Security experts are in high demand globally and according to Cybrary’s Cyber Security Job Trends Report, there are more than a million positions open around the world. In fact, the demand is 12 times the growth of the total labor market.
How does your company measure up in terms of security awareness training, IT security and cyber-attack response plans?
Keep your data secure – hire an IT Security Expert!
Our candidates will make sure your data and information doesn’t get in the wrong hands. Contact one of our 60 offices across the United States to find the candidate you’ve been looking for!