https://mailchi.mp/forte/2023-security-bulletin
Annual Security Bulletin
CSG Forte continues working to guarantee the security of your transactions, information, and the information of your customers. Continue reading as we share security updates, trends in payment security, and news from regulatory entities relevant to CSG Forte Partners and Merchants alike.
PCI Security
| PCI Security Standards Council sets standards around the development of products and solutions offering secure payment processing. The council sets standards for each level in the payment process from merchants to service providers and financial institutions. Any organization falling within the payment process for credit or debit cards is subject to the standards put forth by this council. If you accept credit or debit card payments you can stay up to date on these standards by visiting pcisecuritystandards.org. To make PCI compliance as easy as possible CSG Forte merchants can enroll in our PCI-DSS Compliance Program for $7.99/month. CSG Forte has partnered with both a Primary and Secondary PCI Vendor to provide easy-to-use, low-cost tools to help our merchants with the process of validating compliance. Our PCI Vendors are both Approved Scanning Vendors (ASV) and Qualified Security Assessor (QSA) for the card associations. As part of our program, all participating merchants receive Breach Insurance and remediation service, as part of your low monthly fee. For more information please email pci@forte.net. |
|
|
|
|
|
|
|
|
As CSG Forte evolves to better protect the information of our clients and their customers, we will periodically retire legacy systems in favor of newer more secure platforms. Please pay close attention to our communications to ensure you are running the most secure payment systems available. |
| Restrict unauthorized access by enabling IP Allow Lists. IP allow listing is a way to provide access to the business' network only to trusted individuals. Putting these in place allow only specific IP addresses to access files, applications, and software. For step by step instructions on how to tighten security on your system, click the appropriate link below. |
|
|
|
|
|
|
|
|
Credit Card Best Practices - Card Testing
Fraudsters can use your payment processing system to conduct credit card testing, a type of fraudulent activity where they run multiple transactions to determine if stolen credit card information is valid. Card brands can assess fines against your business, or stop allowing you to process transactions, if you do not swiftly mitigate the activity. Here are some tips to help mitigate being targeted by this type of fraud:
Leverage authentication and CAPTCHA controls
Utilize fraud detection systems that support device fingerprinting and botnet detection
Use a layered validation approach that employs Card Validation Codes AND Address Verification Services
Analyze time zone differences and browser language consistency from the cardholder’s IP address and device. Classify these transactions as potential high risk and perform more stringent review
Inject random pauses (i.e. throttling) when checking an account to slow brute force attacks that are dependent on time, especially for Bank Identification Numbers (BINs) that have been determined to have a high fraud incidence
Include IP address with multiple failed card payment data in a fraud detection blocklist database for review and analysis
In addition to velocity checks for small and large transactions, use velocity checks for low amounts or authorization-only transactions
Look for excessive usage and bandwidth consumption from a single user
Look for multiple tracking elements in a purchase linked to the same device. (Example, multiple transactions with different cards using the same e-mail address and same device ID)
Look for logins for a single account coming from many IP addresses
Review logins with suspicious passwords that hackers commonly use
Lock out an account if a user guesses the username / password and any account authentication data incorrectly on “x” number of login attempts
Nacha oversees the ACH payments network, building a guide to the rules and regulations that network users should abide by to provide the most security to customers and businesses. Annually CSG Forte conducts a WEB Debit Audit of Merchants and Partners processing payments with the SEC designation of WEB. Please ensure timely completion for the annual WEB Debit Audit to avoid processing delays or security gaps. Additionally Nacha updates their guidelines regularly and sets timelines for adoption. As guidelines are updated, CSG Forte communicates these changes to our Partners and Merchants via email. | |
| Be wary of phishing emails. Phishing is the fraudulent attempt to obtain sensitive information or data such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Fraudsters will frequently mimic the look of legitimate emails to trick users into clicking links. As a best practice, always check the URL to make sure it is legitimate, and that you are logging into the appropriate website. Also, be careful when opening attachments from unrecognized or suspicious sources. Phishing scams sometimes use similar website names to trap users into providing their login credentials to the fake site. Navigate to https://www.forte.net/log-in/ and you will find the login links for the Dex/VT platforms. It is recommended that you bookmark the login link for future use.
|
|
|
|
|
|
|
|
|