Skip to main content
Skip table of contents

Prevent Account Takeover Best Practices

The Payrix Pro risk team strives to ensure we are protecting your Merchant account by using various fraud detection tools to catch bad actors throughout the life cycle of the account. This guide explains what account takeover is and the best practices to protect your Merchant accounts from becoming victims of account takeover.

What is Account Takeover?

Account takeover (ATO), is a form of identity theft in which a bad actor gains access to or takes over a Merchant account. It is one of the fastest-growing cybersecurity threats today. When ATO occurs on a Merchant account, the fraudster might add a new bank and siphon off funds from legitimate customers.

How Does ATO Occur?

Fraudsters can gain access to the target account’s credentials through various methods. Some common examples include phishing attacks, malware infections, stolen cookies, and compromised API keys.

What are the Red Flags to Watch Out for ATO?

After a Merchant successfully boards onto the Payrix Pro platform, the Payrix Pro risk team uses various risk tools for ongoing account change monitoring. Common red flags for ATO include Merchants changing account credentials, adding or modifying bank accounts, changing phone numbers, and adding new email addresses. To validate account change information, the Payrix Pro risk team runs checks to verify that the true account owner requested the changes.

Educate your employees on common scenarios of ATO:

  • Do not click on a hyperlink unless you know the source is legitimate.

  • Do not share or write down your password anywhere.

  • Use strong and different passwords for different accounts.

  • Do not use public or unprotected Wi-Fi to access sensitive account information.

  • Be on the lookout for fake Payrix Pro websites.

  • Do not respond to unsolicited text messages if you do not know who the sender is.

Store and Protect Passwords

Payrix Pro uses one-way encryption with salting, called hashing and salting, and does not store passwords within its systems. We recommend following best practices from OWASP, NIST, PCI-DSS, and SOC2. These cybersecurity requirements are audited at Worldpay for Platforms and certified annually by Qualified Security Assessors (QSAs) from PCI-DSS and SOC2 councils.

  • Hash functions can take plaintext passwords and transform them into a ciphertext that erases all traces of the original plaintext passwords. This allows systems to verify passwords in the backend, without saving the actual password in plaintext within their system. Hashes are safe to store as they cannot be reverse-engineered to gain the original password.

  • Hashing with salting is an additional step to keep passwords out of the hands of malicious hackers. It works rather simply when a password is collected, and salt is added to the password (like a PIN code). This password is then hashed.

Cybersecurity Tips

To prevent ATO, adhere to these ten essential tips by any payment business to ensure maximum cybersecurity.

To maximize protection against ATO:

  1. Manage access.

    • Control and monitor access for all regular, privileged, and third-party users connecting to your IT system

  2. Use a password manager tool such as:

    • KeePass

    • LastPass

    • 1Password

    • Roboform

  3. Increase employee awareness.

    • Train your team to think before they click, and run phishing campaigns frequently

  4. Keep systems up-to-date.

  5. Establish a robust cybersecurity policy

  6. Use firewalls, antivirus protection, and Wi-Fi network security.

    • Use antivirus software like McAfee, TOTAL AV, Norton, etc., and firewalls, such as NGFW, NAT firewalls, etc.

  7. Avoid online use of debit cards.

    • Configure withdrawal limits, notifications, and multifactor authentication on your personal and business accounts.

  8. Avoid unfamiliar websites and useless downloads.

  9. Back up and protect data.

  10. Control access to your systems.

Cybersecurity Controls

The Payrix Pro platform is certified with PCI-DSS, SCO2-certified, and cybersecurity-insured. As a result, Worldpay for Platforms supports the following cybersecurity controls:

  • Conduct Regular Cybersecurity Audits and Penetration Tests: Worldpay for Platforms is PCI-DSS and SCO2-certified and collaborates with a security expert or QSA for PCI compliance and regular simulated attacks to evaluate system security.

  • Control and Configure Access to Sensitive Data: Implements the principle of the least-privilege or zero-trust model, granting access only to authenticated and verified users.

  • Create Notifications: Keeps users alert on important account changes.

  • Cybersecurity Insurance: Worldpay for Platforms is cybersecurity-insured and provides coverage against data breaches and other cybercrimes that can compromise sensitive information.

  • IP Whitelisting: Grants network access only to specific IP addresses.

  • Monitor and Record User Activity: Creates an audit trail and collects cybersecurity evidence.

  • Set Up Multifactor Authentication: Requires users to provide two or more verification factors for access to resources such as applications, online accounts, or VPNs.

  • Single Sign-On (SSO): Allows users to use one set of login credentials, automating access management.

Questions

Contact your relationship manager with any additional questions.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close