In the final part of our Cybersecurity Awareness Month series, we’re going to look at what a complete merchant security offering looks like and how it enables you to keep your merchants ahead of today’s emerging cyber threats (while securing your own business and unlocking new revenue streams in the process).
Cybersecurity as a Core Principle
Security should be at the core of everything you do. Payments are a favorite target for cyber criminals because of both value and volume. The best way to ensure you and your merchants are secure is to treat security as a baseline necessity rather than an add-on and work to meet security compliance guidelines.
PCI Compliance Built-In
PCI compliance is the first line of defense against cyber threats. One of the best things you can do for your merchants is to ensure that every system and partner product you offer is fully PCI Level 1 compliant.
The easiest way to do that is to get your payment offerings through a partner with the resources and experience to guarantee full PCI compliance. The right partner will free up resources while ensuring your merchants have access to services backed by a history of:
- Successful payments security
- Regular penetration testing
- Annual audits
- The direct stamp of approval from Visa and Mastercard
Full GDPR Compliance
In addition to the PCI-DSS, it’s also crucial to find partners that comply with the strict rules of the European General Data Protection Regulations (GDPR). Compliance with the GDPR ensures payment data is secure for merchants and consumers in the European Union and around the globe. Regardless of the regions you serve or where your merchants sell, your payment offerings should always be fully GDPR compliant.
Walled-Off Access to Payment System Components
Each payment system should separate networks and access points into compartments. This will limit access to crucial systems from the outside world and your partners. Good compartmentalization, combined with two-factor authentication on internal and external account access, makes your backend payment systems and networks well-secured against cyber threats.
Whether you’re a large payment provider building your own custom systems or using an all-in-one platform like NMI, ensuring software is as compartmentalized as possible is a crucial step toward mitigating cyber threats.
Beyond internal and backend payment systems, it’s critical to offer merchants security services they can opt into based on their unique needs. From data tokenization and point-to-point encryption to complete off-site data storage and beyond, value-added security offerings enable your merchants to choose the level of security they need, mitigating risk and improving their overall experience.
In addition to increasing security for your merchants, value-added security services also open up a new revenue channel for you—a true win-win. Encryption and off-site data storage are two of the most popular security add-ons for merchants.
Taking Customer Data Encryption to the Next Level
Whether paying online or in-store, merchants must find ways to protect their customers’ sensitive data. One of those ways is through tokenization—the complete replacement of encrypted payment data with a separate token that can’t be cracked or converted back to raw card information.
Another way is through point-to-point encryption (P2PE), which encrypts customer data and ensures it’s protected within the payment terminal as soon as a customer taps or inserts their card. Offering merchants tokenization and P2PE is a great way to ensure customer data is protected at the source.
Separating Merchants from Customer Data Entirely
Merchants offering one-click checkouts and subscription services face unique risks. For these services to work, they must store customer payment data for future use. Unfortunately, storing customer data can open the door to cyberattack and saddles them with higher PCI compliance requirements.
Thankfully, you can help your merchants avoid both by offering them a way to store their saved payment data on secure external servers instead of their own.
Off-site payment data storage, like the NMI Customer Vault, holds payment information on servers the merchant has no access to. Instead, the vault issues tokens that merchants can use to trigger payment data whenever they need it.
This solution isolates the merchant from their customers’ payment data (and from any associated liability). It's a low-friction, high-value solution to a significant security problem, enabling merchants to enjoy the benefits of recurring billing without the risks.
Stopping Fraud with Advanced Detection
The other side of the cybersecurity coin is fraud. A complete merchant security offering will include various anti-fraud systems to tackle payments fraud from multiple angles. Several levels of screening will make it difficult to fraudsters to slip through the cracks, leaving merchants more protected.
Authenticating Buyers with 3DSecure
One of the first lines of defense is verifying the buyer's identity when a payment is submitted. The easiest way to do this is by enabling merchants to verify customers using 3DSecure technology developed by Visa and Mastercard.
When a customer makes a purchase, 3DSecure prompts them through Verified by Visa or Mastercard SecureCode to enter their password or a one-time verification sent by SMS. This quick additional step can reduce fraud by up to 40%, making 3DSecure an easy choice for many merchants.
Catching Fraudulent Transactions with Rules-Based Fraud Prevention
Rules-based fraud detection is a basic screening system that enables merchants to set custom rules for which transactions they accept and which should be quarantined or denied. Whenever a customer pays, the system compares the available payment data to those pre-set rules. If any red flags are triggered, the suspicious or fraudulent payment can be stopped before it can do any damage.
This type of anti-fraud system is available from various payment processors and third-party companies, and it’s the absolute minimum you should be offering merchants looking for advanced fraud protection.
Putting Artificial Intelligence to Work to Sniff Out Stealthier Fraud
Merchants looking for even more protection can opt for advanced AI-powered fraud prevention, like Kount. Kount uses machine learning to continually refine its fraud detection algorithms. It does this with the help of data generated by billions of transactions.
AI-powered solutions ensure merchants are protected from fraudulent payments and false positives. Merchants opting for systems like Kount can sleep well knowing that their transactions are screened by the most advanced, comprehensive and accurate system available.
Improving Security in Back-End Processes
Interactions with merchants on a provider–customer level can leave you vulnerable. For the best protection, your backend operational processes and non-payment systems must also be secured.
Secure Merchant Relationship Management
Your merchant relationship management system (MRM) is the nerve center of your operations. A great MRM will centralize sales, support, residuals management, marketing and many other tasks. Unfortunately, because MRMs are huge databases of valuable merchant information, they are potentially lucrative targets for attackers.
In addition to finding a reliable solution provider, your MRM (or CRM) must be fully PCI Level 1 compliant. This will protect the customer data that drives your business against external threats.
Catching Merchant Fraud Early (and Often)
Fraudsters don’t only attack end-consumer payments. Merchant fraud—cases where merchants lie on their service applications to get around underwriting or access lower fees—is also a problem. The best way to mitigate the risks of merchant fraud is to ensure every applicant you process undergoes thorough and consistent underwriting.
The problem is that deep, thorough due diligence is expensive and time-consuming. Thankfully, AI-driven underwriting systems solve that problem. These solutions enable you to perform accurate and consistent checks on every new merchant in just a few minutes.
Some systems, like Agreement Express (an NMI company), also enable you to monitor merchants as they sell to ensure you can catch any changes in their behavior or risk profile.
Let NMI Help You Secure Your Merchants' Futures Today
In an industry like payments (that is evolving and digitizing at a breakneck pace), staying ahead of cyber threats is a task beyond the means or abilities of most merchants. NMI solves that problem by offering you and your merchants turnkey access to a comprehensive shield against cyberattacks and digital payment fraud.
To learn more about how NMI’s modular payments platform and value-added services can help you and your merchants stay safe, reach out to a member of our team today.