payment by smartphone

Securing Merchant Gateways in the Era of Effortless Experiences

 

Many merchant service providers (MSPs) now offer online portals that allow merchants to manage transactions and accounts, often with integrated virtual terminal capabilities. These gateways can streamline customer experience (CX) and backend operations to drive efficiency, satisfaction and clear communication. However, they are also prime targets for fraud.

Most merchants understand this risk and have taken great strides to balance consumer data privacy with effortless, satisfying experiences. Fewer, though, realize the fraud risks associated with merchant gateways aren’t just about customers. Just as bad actors can access customer information through these attacks, they can access a merchant’s proprietary documents, banking information and other high-risk areas of a digital ecosystem.

Then, thanks to real-time processing, hackers can make changes (or withdrawals) before the merchant has time to react. Given the speed of these transactions, merchants’ growing attack surfaces and the increased adoption of real-time payment gateways, it’s not just important that merchants who opt to use the tool prioritize cyber best practices. It’s vital to their survival.

What’s the Big Deal?

On the macro level, the impact of these attacks on merchants and other organizations is significant and growing rapidly. According to Sifts Q1 2024 Digital Trust and Safety Index, account takeovers (ATOs) cost merchants $38B in losses last year, and that number is expected to balloon to $362B by 2028. The organization’s Q2 Index found that 78% of businesses now face artificial-intelligence-enabled fraud risks consistently.

For individual omnichannel and digital-first merchants, attacks on payment gateway portal accounts present a serious threat, and they’re far more damaging than typical attacks on online shopping accounts. When a cybercriminal hacks into a payment gateway, they can quickly access the host merchant’s account and transfer money directly into their own. Imagine the panic of discovering that your hard-earned funds have vanished without a trace.

These criminals have a variety of tactics at their disposal, which makes prevention, detection and response difficult. Upon breaching a merchant account, the hacker might turn off notifications so the merchant is unaware when fraudulent transactions occur. They may change account contact details, so alerts about unauthorized activities are deactivated.

Worse yet, hackers who successfully access an account can run ACH credit transactions to tap money from a merchant’s bank account to their own. Many will alter bank information and other sensitive details to make it even harder for merchants to regain control of their accounts. It isn’t just a minor inconvenience; it’s a potentially business-crippling event. Once an attacker has access to the merchant’s account, there’s little hope of recovering the losses.

You Can Never Be Too Secure

Though cybercriminals and ATO attacks can be devastating, there are plenty of steps merchants can take to protect themselves. This includes the typical recommendations, like using complicated passwords, investing in credential managers and prohibiting employees from saving login details in browsers. However, given the increasing frequency and severity of these attacks, merchants may want to go a little further in their efforts to protect themselves from fraud.

Achieving that goal starts with the merchant’s MSP choice. When choosing a partner for payment gateways, it’s not just about the surface-level touchpoint the vendor can offer end users. Merchants must also verify that the MSP they choose offers the security tools necessary in the current cyber landscape, including:

  • IP-based restrictions: These settings allow merchants to configure gateways to restrict users from logging in to their accounts based on location. This helps prevent account takeovers, even if the password is compromised.
  • Granular roles and permissions settings: The more granular a gateway’s permissions and custom rules capabilities, the more precise a merchant can be about who gets access to what. This allows merchants to limit each user’s access to only the elements of the account that are necessary to their role—which means fewer entrances to sensitive areas of the system for hackers to exploit.
  • Multifactor authentication (MFA) requirements: This security mechanism requires a user to verify their identity through two (or more) methods. The extra step(s) protects accounts with compromised login credentials with a time bound authentication code that must be verified via a secondary touchpoint like a SMS, Phone call or an email different from the primary one.
  • Authenticator app: Varied and a better form of MFA, in which the authentication code is generated locally and is not intercepted by cybercriminals or stolen because of a SIM takeover.
  • Passkey authentication: Passkeys differ from MFA in that there is no password to enter. Instead, the system creates unique public and private keys for every online application or site, device and user identifier, then matches the keys to their public counterparts to confirm identity and grant access. By removing traditional credentials from the process, this approach leaves traditional phishing nearly useless, as there is no password or username to steal. It doesn’t make accounts unhackable, but it does make executing a fraudulent login much more complex and less dependent on human error.
  • Transaction Risk Management: AI/ML-based models that instantly score an incoming transaction for fraud based on several parameters such as the transaction history, payment methods used, location, time of the transaction, the average amount of the transaction etc. These models allow merchants to customize the base model to suit their business needs.

The above represent just a few of the many possible tactics a merchant could use to firm up operations against ATOs—and a strong MSP in today’s market should offer all of them and more. This proactive approach not only mitigates financial risks but fosters trust with customers and stakeholders, leading to happier, loyal customers.

Securing Merchant Gateway Against Intruders

To protect merchant gateways from fraud can’t just be a priority; it must be a necessity. In today’s increasingly digital world, safeguarding sensitive data is an end-to-end imperative, and it must be a part of every decision. After all, the stakes are high! A single fraudulent incident can expose customer data, tarnish reputations and jeopardize future success.

A smart MSP will understand that and embrace its role as a supporting partner to merchants as they seek to delight and protect customers. Together, MSPs and merchants can fortify defenses against fraud and unauthorized access to maintain resilience, safeguard reputations and get back to what matters: delivering effortless and secure experiences that drive customer trust, lasting loyalty and business growth.

Build a secure, trusted and seamless payment experience for your customers

If you’re ready to elevate your payment security and protect your business against cyber threats, now is the time to act. Discover how CSG Forte’s advanced payment solutions can provide the robust security measures you need to stay ahead of fraud and ensure the integrity of your transactions.

Contact Us

Charu Krishnan

Director, Product Management