Community
The modern business-to-business merchants are actively embracing online retail to step up their game. Relying on B2B portal development, they build solutions that bring together business customers from around the globe, supporting a convenient and personalized purchasing experience.
On the downside, the shift to ecommerce aggravated the issue with payment security. Business-to-business transactions have always enticed the underworld, and digitization put these transactions within reach of adept cybercriminals. As a result, the B2B online payment fraud rate runs high: last year, 81% of organizations became targets of attempted or successful fraud attacks, as reported by the Association for Financial Professionals in the 2020 Payments Fraud and Control Survey.
To get to the money or sensitive payment data, hackers leverage a wealth of attack techniques, from DDoS and malware to social engineering. They exploit vulnerabilities in web portal software, payment gateways, and networks or a lack of security awareness of transaction parties. In this article, we outline sustainable security measures to help you reinforce your B2B marketplace protection against the ever-evolving cyber-threats related to online payments.
Refine identity and access management
Identity and access management (IAM) is the baseline network and data security practice that many online business owners know and respect. However, hackers are finding increasingly more ways to bypass the common IAM mechanisms (role-based access, privileged accounts, and so on) with malware, metadata manipulation, or social engineering schemes. To thwart these attacks, B2B portal owners need to ramp up their IAM toolkit.
Begin by shifting away from the insecure password-based authentication method to embrace the more advanced multi-factor authentication for customer account access. To reinforce access security in a mobile portal app version, you can turn to biometric authentication methods, such as fingerprint, voice or iris recognition. Advancing your identity verification mechanisms this way, you can prevent unauthorized access to your portal and ensure the legitimacy of every transaction.
Conducting business online, a company has no physical opportunity to ascertain whether their counterpart is who they say they are. Cybercriminals often make use of this flaw, setting up fake accounts and masquerading as business owners to scam companies. To nip these fraud attempts in the bud, adopt the Know Your Customer procedure.
KYC originated in the banking sphere and today is actively leveraged in ecommerce to confirm the company’s identity before partnering with it. In the context of B2B ecommerce, the procedure involves the submission of documents and other types of information that confirm the customer's identity and solvency. Modern KYC solutions can streamline the identification process, automatically checking the submitted information against numerous publicly available databases.
Set up ongoing activity monitoring
Web portal activity tracking is widely considered an instrument belonging to the marketing toolkit, but its potential is broader than that. When applied for payment security reasons, activity monitoring mechanisms help detect upcoming security threats that can’t be detected by antivirus or anti-malware tools.
First and foremost, it is a good practice for security specialists to keep track of the day-to-day B2B portal performance via a web analytics tool. This will allow them to timely notice abnormal or suspicious user activity that may or may not be a security attack. Regular activity monitoring is particularly helpful for forestalling various types of DDoS attacks that aim to disrupt the portal traffic by flooding system bandwidth with multiple requests.
Beyond that, companies that process credit card payments must track access to network resources and cardholder data under the PCI Data Security Standard. Due to the sheer volume and frequency of operations, this activity is commonly automated with an audit trail system. The software will log each customer’s event and its type, time and date, whether the operation was successful, and other details. By reviewing the logs (the recommended frequency is once a day), the merchant can pinpoint unauthorized access attempts and other fraudulent activities and investigate them.
Embed payment tokenization
Credit card stealing malware is running wild on the internet. Typically, this malicious software injects itself or is injected by hackers into the retail portal source code and siphons off credit card data and other sensitive information.
In the recent past, more than two million websites fell victim to the prolific Magecart spyware, with such high-profile merchants as British Airways and Ticketmaster among them. Even though the global business community is aware of Magecart, the spyware still manages to get past online merchants’ defenses. The reasons for this differ from the rapid attack innovation to insufficient monitoring coverage, but one thing is clear: to stay on the safe side, you need to set up an additional level of protection over customer payment data.
Tokenization, or the replacement of sensitive data with an algorithmically generated number called a token, has been recently gaining traction among online merchants, edging out encryption as a cost-efficient and secure option. Tokens are not the same as encoded payment card information; instead, it is a numeric map explaining the bank where the card owner’s data is stored. During a tokenized transaction, the token is authorized in the credit card network and is matched to the customer’s account number. After the bank allows the payment, the token is returned to the merchant for future transactions.
Unlike the encrypted data, a token can’t be mathematically reversed and is readable only by payment processors, meaning that hackers will have little use for it even if they somehow intercept the transaction. In addition to payment security, tokenization can also help lessen the burden of PCI DSS compliance and decrease the B2B portal security maintenance costs.
Promote security awareness
In the modern B2B ecommerce security landscape, social engineering scams proliferate along with technical attack strategies. Leveraging simple methods of psychological manipulation, criminals coax employees to perform certain actions or give away sensitive payment information about customers.
This year saw an alarming rise in the business email compromise type of phishing attacks. Impersonating a company's CEO and other high-rank executives in correspondence, hackers persuade the respondent to transfer funds or pay a fake invoice. In the second quarter of 2020, the average cost of a successful BEC attack amounted to $80,183, according to the Anti-Phishing Working Group’s Phishing Activity Trends Report.
While anti-phishing software is the necessary protection measure for B2B portals, with the ongoing evolution of attack methods, it doesn’t always provide full-scope security. This makes the promotion of security awareness among your staff and customers an indispensable accompanying measure. Corporate security training should be held regularly for employees at all levels, in order to educate them on current social engineering exploits, their mechanisms and consequences, and offer clear instructions on how to respond to such an attack.
Since both transaction sides can fall victim to social engineering, the security awareness efforts should also extend to your partners, although the format of full-scale security training will not be appropriate in this case. Instead, you need to provide them with informative but unobtrusive educational resources, outline the advantages of investing in security monitoring tools, and inform timely of the relevant emerging attacks.
Wrapping up
The proliferation of payment fraud and security threats make the path to an efficient and reliable B2B portal thornier than ever. By combining tried-and-true practices with emerging technologies and security awareness promotion, a business can build a many-layered security strategy to navigate the modern threat landscape successfully and offer customers a safe experience.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Sonali Patil Cloud Solution Architect at TCS
20 December
Andrew Ducker Payments Consulting at Icon Solutions
19 December
Jamel Derdour CMO at Transact365 / Nucleus365
17 December
Andrii Shevchuk CTO & Co-Partner at Concryt
16 December
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.