Things SMEs should consider when using online payment systems
December 22nd, 2016
Many businesses rely on online payment systems such as PayPal, Google Wallet and Money Bookers. But how safe are they really? We talk to payment security expert, Shaab Al-Baghdadi, to find out.
The spread of hacking has increased exponentially over the years, driven in part by the ability of tech novices to access relatively sophisticated hacking software.
It’s got to the point where people can now access helplines on how to use ‘crimeware’ from the dark web. So it’s vital for business owners to be aware of potential threats when using online payment systems, and to make sure they follow the correct protocol in protecting themselves.
Beware the ‘middleman’
In general, hackers won’t try to force entry into sophisticated and complex systems. Instead they’ll go for the area of least resistance. With this in mind, ‘man in the middle’ attacks are rife.
These are where a hacker tricks the user into thinking they’re using a company’s website when they’re actually using a fake – and identical – webpage. This is a relatively simple method used by hackers to harvest card details.
While it technically doesn’t constitute a breach of security of the Payment Service Provider’s (PSP) system, it’s important for both business owners and individuals to be aware of this kind of activity.
Knowing who’s responsible for a breach
When it comes to who’s responsible for a breach of security, it’s usually the PSP that would take the flack.
However, if the PSP can demonstrate that their platform has not been compromised, this usually shifts responsibility either to the card holder for not protecting their details, or the merchant for not following the PSP’s terms and conditions.
Because of this, it’s important for businesses using a PSP to understand the procedures and polices they must follow as outlined in the agreement, and demonstrate how they’ve done this.
Tips for protecting your business
The best way for businesses to protect themselves is to follow the recommendations and procedures in the agreement between the merchant and the PSP. As a best practice, I would also advise that small businesses undertake some due diligence when appointing a PSP. This could be done through a third-party review using a questionnaire.
Outside of the card details, you should be asking your PSP what information they collect, how long they keep it for, and what they do with that information.
This is especially important if they’re collecting personal identifiable information (PII), which will fall under the general data protection regulation (GDPR), which is due to come into force in May 2018.
Failure to comply with the GDPR – including carrying out due diligence – carries severe penalties of up to 4% of your company’s global turnover, which is why it’s so important to understand where the liability sits both contractually and in regards to the regulation.
Remember it’s your company’s reputation that will be in jeopardy should a security breach take place, not just the PSP's.
What to do if you notice PSP fraud
As a business owner, if you notice someone has spent money from your PayPal account you should follow the same process you would when an unauthorised transaction happens in your personal bank account. The best thing you can do is contact the PSP and see if they can reverse the payment.
It’s always a good idea to check your account regularly to see if there are any small payments going out, either on a one-off or regular basis. Criminals will often employ this technique to test the payment account is live, then hit the account later for a larger amount.
Check for small payments to charities as these are often not picked up. When larger payments leave the account they’re often just under the £10,000 mark, as this is sometimes not picked up by the PSP’s internal fraud engines.
Review how the account is accessed from your internal systems, including which members of staff have access to those systems.
You should also consider how often the passwords are changed, where they’re kept, and from where and how the account can be accessed. It’s important to make sure those access points are secure and virus free.
Understanding consumers’ rights
Consumers are protected under the consumer rights act 2015. Over and above this they’re protected by the rights afforded them by credit card issuers or PSPs when purchasing through these services.
In general, PSPs will side with the consumer regarding a dispute and the onus will be on the merchant to prove they’ve complied with the contract of sale.
‘Soft Fraud’ – where a consumer claims they never received their goods, for example – is an ever-growing issue. You should consider the cost of this to your business and take added measures to prove the delivery of goods and services with robust audit trails.
Choosing the right payment system
When it comes to choosing the best online payment system for your business, it’s as much a commercial decision as it is a security question. Assuming you’re comfortable with the terms and conditions of the PSP and have carried out due diligence, there are some points to consider outside of the security aspect.
Knowing your customer and how they want to transact should be one of the primary deciding factors behind the PSP you go for. For example, do your customers require anonymity or the ability to register their card details once for multi-merchant purchases? It helps to ask the PSP directly about their demographic of users.
You may also want to consider the charges you’ll incur. Ask the PSP how they justify the fees they charge and what the bandings are in terms of assessing these charges.
For example, you’ll need to know what percentage of each transaction they’ll take, which will be based on things like volume of transactions made and the likelihood of fraud.
You should also try to find out what the abandonment rate is on transactions. This is where consumers decide not to proceed with the transaction during the process resulting in lost revenue.
Find out about our Hiscox cyber insurance.