In the old days, if someone wanted to rob a bank, they had to do so in person, and there was substantial personal effort and risk involved. Not so in 2021, an era that has seen outlaws swap their guns for keyboards and their getaway cars for computer firewalls with rotating I.P. addresses.
Defending against potential theft has changed as well. Gone are days when security guards and giant steel vaults could dissuade the average criminal. The bank robbers of today have gone virtual, and the battle against them has moved into the cyber realm.
Nuvei realizes that security is as critical now as it’s ever been. Perhaps even more so in a society where the potential bad guys are no longer gun-slinging desperados but are instead far more likely to be hackers, online scam artists, or even bored script kiddies who learned how to hack your iPhone on a Reddit forum.
Therefore, it’s more important than ever that you take a few simple steps to secure your business and protect yourself from being victimized by online theft and fraud. In this week’s blog, we’ll talk about the ten best ways to protect your business and yourself from the new generation of cybercriminals.
1. The Importance of Two-Factor Authentication for All Logins
Two-factor authentication is crucial for anyone conducting serious business online. If you’re unaware, two-factor authentication is an additional layer of security that works together with traditional username and password security. Typically, two-factor authentication consists of either a verification email sent to a pre-determined email address, or an SMS message sent to your cell phone. Some merchants go as far as to require third-party authenticators; mobile apps that tell you when someone is trying to access your account and requires you to take affirmative action, such as pressing a button on the app before the login can occur.
If you’re running a business on the same computer or mobile device that you use for your social media, it’s imperative that you not only use two-factor authentication for your financial accounts, but also for your social accounts. Today’s criminals are smart and tech-savvy, and if they find any chink in your security armor, you can bet that they’ll use it to drain your bank accounts.
2. Never Store Credit Card Numbers or Other Secure Data Yourself
Seriously, just don’t do it. It’s not worth the risk. Not only is it a violation of PCI compliance, but it leaves you open to legal disaster if someone cracks your security and steals the information. Remember, cybercriminals aren’t trying to steal cash. They’re trying to steal information. If you’re storing credit information, even if it’s encrypted, you’re running a huge risk and it will eventually bite you.
If you don’t think it can happen to you, you’re wrong. It’s happened to some of the world’s largest companies. If Yahoo, Facebook and LinkedIn can be hacked, then don’t kid yourself about the strength of your security measures. Always use a third-party, and never make an exception. If you have any questions or concerns, contact a Nuvei representative and we’ll be happy to point you in the right direction.
3. Choose a Secure eCommerce Platform
If you’re not using a reliable and well-vetted programmer for your eCommerce, you’re making a mistake. You need to be able to trust your developer with your life, because that’s literally what you’re doing. Make sure that you discuss the platform you’ll be using, and that it’s a well-known, reliable, and had a long history of security and reliability. There are a lot of great platforms out there like Shopify, WooCommerce, Magento, and dozens of others. If you’re not sure which one to pick, your developer will help you decide. Make sure that it’s secure and can integrate with your payment processor in a smooth and efficient manner.
4. Buy Cyber Liability Insurance
Cyber liability insurance (CLI) exists for one reason: to protect you when you break the other rules that I’ve listed in this blog. If you’re not willing to make sure that you’ve done all the other measures listed here, then you’d better sign up for CLI, and fast. If someone breaches your security, you can (and will) be held personally liable for every dime they steal from your customers. 60% of small businesses go out of business within six months of a cyberattack. Hopefully, you’re paying attention now.
5. Use a Personal Verification System
Some businesses may even require a further layer of protection, in which case I recommend consulting with your Nuvei partner and finding a personalized solution. AirBnB, for example, requires a driver’s license or a passport. Other businesses require various mobile identification methods. Whether or not you need this level of protection is up to you, but nobody ever regretted being “too secure.”
6. Don’t Store Customer Payment Data
Did I mention this before? Let me mention it again. Don’t store payment data. Just don’t do it. It’s tempting to hold onto the data for a variety of reasons, but it’s just not worth the risk. One client of mine insisted that they had to hold onto the data because shipping amounts change from day to day, so they couldn’t be sure how much to charge. As I’m sure you’ve guessed, they lived to regret it. If you need variable or recurring billing set up a tokenization system with your gateway. It’s safe, simple, and protects you.
7. Be Sure to Install an SSL Certificate for Your Site
Have you ever noticed that small little lock icon to the left of the URL when you go to most websites? That indicates that the site is protected by a Secure Sockets Layer, or SSL certificate. This guarantees that the site is routed through https instead of http. The “s”, as I’m sure you’ve guessed, stands for “secure”. Any decent developer will be able to install an SSL certificate for you, so make sure you have one on your website. Also make sure that all traffic is directed through the https system without exception. Again, your developer can help you with this.
8. Ensure PCI Compliance
PCI compliance is a massive undertaking, and at some point, I’ll probably do a blog just on that topic alone. Suffice to say, if your data isn’t PCI compliant, it needs to be ASAP. Most reputable payment processors will scan your site from time to time, and if you’re not PCI compliant, they’ll either fine you or shut you down.
9. Require VPNs for Anyone with Access to Your Code
VPN is short for “virtual private network.” It’s a way of excluding everyone from your server except for those you have personally authorized. If you don’t want some fourteen-year-old hacker crawling around your database, you’re going to need to enforce VPN protocols for everyone who accesses your server or code.
10. Ensure Your Hosting Provider Has Safeguards in Place
If you’re hosting with one of the major players, like BlueHost or Cloudways, you’re probably already benefiting from full-service server security. However, if you’re hosted at a smaller venue, or if you’re running your server yourself, you need to make very sure that you’re protected. A good, high-quality firewall is your first, but by no means the last, line of defense. We’ve already mentioned SSL certificates, but you’ll also need virus protection, injection attack protection, and a complete spectrum of other security measures. These are not trivial or minor issues. They are necessary if you want to stay in business.
Hopefully I haven’t scared you too much, but as they say, you can never be too rich, too thin, or have too much internet security. Follow these basic guidelines and you’ll be able to rest easy at night and focus on growing your business instead of fighting off hackers.
|Philippe Panneton is Nuvei’s SVP, Global Risk & Underwriting. He is a certified payment professional with twenty years of experience in the financial sector, with a proven track record of successful process improvement in recoveries and risk related functions. Associated with Nuvei for over 11 years, he uses his deep understanding of risk management, recoveries, and process improvement to maximize Nuvei’s return on investment.|