Reseller Toolkit  >  Learn  >  Newsletter Archive  >  Reseller Newsletter - October 2005  

Reseller Newsletter - October 2005

Imagine someone with the boldness of a general, the ingenuity of MacGyver, and the brains of a Soviet spy.

It isn't James Bond.

It's an Internet fraudster.

Fraud is a very real threat in today's Internet community. At a recent Bank Card Conference, John Shaughnessy, senior vice president for fraud prevention at Visa USA, said, "[Hackers] are very, very good at what they're doing, and they're a few steps ahead of us in a couple of areas. They've done their homework about the payments system and because of (them), we all have a chance to lose some sleep at night" (Reuters, "Online fraud 'ahead' of credit-card companies-experts").

Authorize.Net is committed to helping you and your merchants proactively protect yourselves and your customers from being victimized by fraud. Read on to learn more about what you and your merchants can do to increase information security and protection from fraud.

Help Prevent Identity Theft
Identity theft occurs when someone steals and uses another person's or business's identity for personal gain. It happens every day to people and businesses worldwide . . . read more

Adhere To Industry Security Standards
The Payment Card Industry (PCI) Data Security Standard is a security initiative designed to standardize industry security requirements for storing, transmitting, and processing cardholder data . . . read more

Use Strong Passwords
One of the easiest and most significant ways you and your merchants can increase information security is to use and securely store strong passwords . . . read more

Use Advanced Fraud Tools
To proactively fight and prevent fraud, it is highly recommended that your merchants employ the use of advanced fraud detection tools that are designed to help single out and reject fraudulent transactions . . . read more

Implement Strong Security
There are several security guidelines you and your merchants can implement in your daily business to stay protected from e-commerce fraud . . . read more
Beware of Scams
Large and small businesses fall victim to a variety of scams perpetrated by Internet con artists every day . . . read more

Help Prevent Identity Theft

Identity theft occurs when someone steals and uses another person's or business's identity for personal gain. It happens every day to people and businesses worldwide. You can help protect yourself, your business, and your merchants from identity theft by following the practices listed below:

Information Acquisition

  • Be sure to collect all information in a secure manner. Work with your information technology personnel or Web developer to implement secure processes.
  • Avoid letting potentially sensitive information sit unattended on the fax machine. Try to pick up sensitive information as soon as it arrives.
  • If you require sensitive information to process a service application, only request the information that you absolutely need. Do not ask for unnecessary sensitive information such as social security number, driver's license number, etc.
  • Do not require customers to provide sensitive information via insecure methods.

Information Storage

  • Use strong security measures for storing data on your computer systems. Remember that the payments industry requires security compliance of all service providers and merchants that store or process sensitive customer information.
  • If you store sensitive data (including card code values), it must be encrypted or masked.
  • Lock up any hard copy documents containing sensitive information.

Data Access

  • Restrict access to your merchant or customer data on a need-to-know basis. Make sure that all user access is authenticated or password-protected.
  • Perform background checks for any employees with access to merchant or customer data.
  • Change passwords regularly, especially after employee turnover.

Information Disposal

  • Be sure all electronic and paper documents containing merchant or customer information is permanently deleted, shredded, or otherwise rendered unreadable prior to disposal.

Information Distribution

  • Never send sensitive information via email.
  • Leave discreet voicemail messages. Do not leave detailed messages involving sensitive information that can be overheard.
  • Make copies carefully. Always remove and retain originals from the copy machine when making copies of sensitive documents.
  • Do not cut and paste potentially sensitive information from any proprietary or confidential business application into emails or otherwise distribute sensitive information insecurely to customers.
  • Only share customer data with internal personnel on a need-to-know basis.
  • Do not discuss sensitive information where it can be overheard.

General Security

  • Check the Internet regularly for phony copies of your Web site. If you find a "spoof site," contact the Web site's provider immediately.
  • Implement industry standard computer systems security and keep virus detection, firewall, and other prevention solutions updated.
  • Only download software and files from sources you trust. Files from the Internet might include spyware or viruses that can compromise your security.
  • Only use, or interface with, proprietary or confidential business applications on networks or the Internet in the manner in which they were designed. For example, to avoid the possibility that a shortcut to the Reseller or Merchant Interface might break with a payment gateway update, you and your merchants should enable cookies instead of using an unsupported screen-scraping program.
  • Keep your external mailbox empty. Never leave outgoing or incoming mail in boxes overnight.
  • Be careful with your work ID or access badge. Keep ID badges, office keys, and building entry codes in a secure place. If lost, contact your employer immediately to deactivate badges or change locks and codes. You might consider using generic badges without logos or other company information to avoid the risk of a security breach in the event that the badge is lost.
  • Remove all sensitive materials from your immediate work area when you're not using them or at the end of the day. Be sure to lock sensitive materials in the appropriate file cabinets, desk drawers, etc.
  • Keep operating-system patches up to date.

(Sources: Visa USA and the Identity Theft Resource Center)

You can learn more about protecting yourself and your merchants against identity theft by visiting the Federal Trade Commission's Web site at http://www.consumer.gov/idtheft or the Identity Theft Resource Center at http://www.idtheftcenter.org.

Adhere to Industry Security Standards

The Payment Card Industry (PCI) Data Security Standard is a security initiative designed to standardize industry security requirements for storing, transmitting, and processing cardholder data. PCI combines and expands on Visa's Cardholder Information Security Program (CISP) and MasterCard's Site Data Protection (SDP) Program. By complying with PCI standards, you and your merchants can be assured that cardholder data is being processed according to the highest payments industry security standards.

IMPORTANT: Please note that if your organization collects and stores cardholder information, either for your merchants or your merchants' customers, you are required to certify your compliance with the Service Provider level PCI requirements. For more information about PCI requirements for merchant service providers, please see https://sdp.mastercardintl.com/pdf/pcd_manual.pdf and https://sdp.mastercardintl.com/.

Authorize.Net highly recommends that your merchants also become PCI compliant regardless of the size of their business or transaction volume. To support your merchants' efforts to increase security, Authorize.Net has partnered with AmbironTrustWave, a leading data security and compliance services provider that offers convenient and affordable PCI compliance tools. Since the level of PCI compliance varies according to yearly transaction volume, AmbironTrustWave can also advise your merchants about the level of PCI compliance required for their business. For more information about AmbironTrustWave's services and pricing options, please instruct your merchants to visit https://authorizenet.trustkeeper.net. They will need to register in order to log in.

Please note that Authorize.Net is not directly involved with establishing, evaluating, or validating PCI compliance requirements. Please instruct your merchants to contact their acquiring banks with questions about the PCI Data Security Standard or general compliance.

Use Strong Passwords

One of the easiest and most significant ways you and your merchants can increase information security is to use and securely store strong passwords. Whether it be for computer networks, software programs, confidential files, or online access to financial and payment gateway accounts, strong passwords that are difficult to guess or generate can significantly decrease the chances of confidential information becoming compromised. The following guidelines will help you and your merchants select strong passwords:

  • Choose passwords that are at least seven characters in length and include a combination of uppercase and lowercase letters, numbers, and symbols.
  • Do not use dictionary words either forwards or in reverse, or that include numbers only at the beginning or end.
  • Avoid using dictionary words with a common symbol for letter substitutions, for example $ for "s."
  • Never use a payment gateway login ID as part of a password.
  • Do not use blank passwords.
  • Do not reuse previous passwords.
  • Never use personal information that can be easily discovered or guessed (i.e., license plate number, child's name, birth date, middle name, etc.).
  • Never share passwords with anyone.
  • Never write passwords down.
  • Do not enable settings that allow a Web browser to "remember" passwords. Change passwords on a regular basis, especially when employee turnover occurs.

For additional information about passwords, please read Authorize.Net's Password Policy White Paper.

Use Advanced Fraud Tools

The Authorize.Net Payment Gateway includes integrated fraud tools as standard features of every account, such as Address Verification Service (AVS) and Card Code Verification (CVV/CVC2/CID) that provide merchants with general protection from fraud. However, to proactively fight and prevent fraud, it is highly recommended that your merchants employ the use of advanced fraud detection tools that are designed to single out fraudulent transactions.

The Fraud Detection Suite (FDS) is composed of several filters and tools that work together to evaluate transactions for indications of fraud. Their combined logic provides a powerful and highly effective defense against fraudulent transactions.

  • Amount Filter – Uses lower and upper transaction amount thresholds to restrict high-risk transactions often used to test the validity of credit card numbers.
  • Velocity Filter – Limits the total number of transactions received per hour, preventing high-volume attacks common with fraudulent transactions.
  • Shipping-Billing Mismatch Filter – Identifies high-risk transactions with different shipping and billing addresses, potentially indicating purchases made using a stolen credit card.
  • Transaction IP Velocity Filter – Isolates suspicious activity from a single source by identifying excessive transactions received from the same IP address.
  • Suspicious Transaction Filter – Reviews highly suspicious transactions using proprietary criteria identified by Authorize.Net's dedicated Fraud Management Team.
  • Authorized AIM IP Addresses – Allows merchants submitting Advanced Integration Method (AIM) transactions to designate specific server IP addresses that are authorized to submit transactions.
  • IP Address Blocking – Blocks transactions from IP addresses known to have been used in fraudulent activity.

To learn how merchants have used FDS to prevent fraudulent transaction, see Authorize.Net's FDS Case Study.

For more information about FDS, please read the Fraud Detection Suite White Paper.

Implement Strong Security

The Authorize.Net Payment Gateway employs the latest 128-bit Secure Socket Layer (SSL) technology and is compliant with industry-leading encryption and security protocols that safeguard customer information. In addition to this protection, there are several security guidelines you and your merchants can implement in your daily business to avoid e-commerce fraud.

  • Network Blocks and Filters – Set network parameters that block or filter unwanted files such as adult content, spam, pop-ups, spyware, viruses, and illegal downloads.
  • Employee Use – Monitor employee use of the Internet, including excessive use of bandwidth, personal surfing, and inappropriate viewing and downloading. Also train employees to keep information available on the Reseller Interface confidential to the company. Employees should never cut and paste information provided in the Reseller Interface to email or send to customers. This also applies to your merchants' use of the Merchant Interface.
  • Access – Be sure to access your Reseller Interface and instruct your merchants to access their Merchant Interface accounts appropriately via documented methods. Enable cookies instead of using possibly insecure shortcuts such as screen-scraping programs that might potentially break with a payment gateway update.
  • Hardware – Use proper hardware to enable a sufficient firewall and encryption capability.
  • Software – You should always use virus protection software and keep operating-system patches up to date.
  • Communication Security – Authorize.Net highly recommends using SSL digital certificates to protect communications.
  • Connection Method – If using a SSL digital certificate, merchants should connect to Authorize.Net via the Advanced Integration Method (AIM). AIM is the preferred payment gateway connection and offers the highest level of customization and security. The AIM Implementation Guide is available here.
  • Web Site Programming – Encourage your merchants to talk to their Web developer about optimizing the security of their payment gateway integration code. For example, if a merchant hosts their own payment form, advise them to implement controls to restrict its use to one authorization per order session. Also, if a merchant uses the GET method to return merchants to their Web site from a receipt page, they should convert to the POST method. The POST method uses hidden fields, thus better protecting transaction information. If you are a Web Host or Shopping Cart provider, this also applies to you.
  • Shopping Carts – If a merchant cannot easily integrate to the payment gateway via AIM, advise them to consider using an alternative web hosting or shopping cart solution. Authorize.Net-certified shopping carts allow merchants to submit transactions securely without having to upgrade Web systems and security themselves. View the list of Authorize.Net-certified shopping carts at http://www.authorize.net/solutions/merchantsolutions/merchantservices/certifiedsolutiondirectory/.

Beware of Scams

Large and small businesses fall victim to a variety of scams perpetrated by Internet con artists. These fraudsters use masked Internet Protocol (IP) addresses, high-jacked computers, phony addresses, and bogus companies to defraud U.S. businesses and consumers every day. You and your merchants can decrease your vulnerability to scams in the following ways:

  • Be cautious when researching or following up on business development or sales leads from unfamiliar foreign entities.
  • Scrutinize any transactions that are out of the ordinary, especially those on behalf of foreign individuals.
  • Be cautious when providing accounts for U.S. citizens who are planning to manage an Authorize.Net or other payment gateway account as part of a condition for a business arrangement, partnership, or employment.
  • Never operate an Authorize.Net or financial account in your name or your business's name as part of a condition for a business arrangement, partnership or employment.
  • Only do business with companies you know and trust. Be wary of out-of-the-ordinary business deals.
  • Understand the offer. Ask questions until you understand all of the terms and vocabulary.
  • Get all the details and promises in writing. Never sign documents with blank spaces.
  • Check all bills and invoices carefully. Look for unusual amounts. Don't pay until you understand and agree to all items listed.
  • Guard your financial or other account information. Don't provide it to anyone unless there is a legitimate reason to do so as part of a transaction.
  • Educate your employees and merchants about avoiding scams. Make sure they understand their roles and responsibilities.
  • Pay extra attention to international business deals. Encourage your merchants to validate orders before shipping to different countries.
  • Do not respond to emails or phone calls requesting sensitive financial information. Remember that legitimate businesses and organizations will never request sensitive information via email or a link outside of a secure Web site. Call your Internet service provider, bank, credit card company, or other vendor who may be sending the email to confirm the request.

(Sources: National Fraud Information Center and the Better Business Bureau)

To educate yourself and your merchants about the different types of scams used against businesses today, look at the National Fraud Information Center's Web site at http://www.fraud.org/scamsagainstbusinesses/bizscams.htm.

Remember that as owners of Authorize.Net Payment Gateway accounts, your merchants are expressly financially responsible for all transaction activity that occurs on their accounts. As such, you and your merchants should take every precaution to evaluate the possible associated risks before entering into any business relationship or opening any type of financial account or service account that involves financial liability.

 
Contact Information