Merchant fraud: protecting your business against malware

posted on Wednesday, August 25, 2021 in SHAZAM Blog

Consumers expect to trust that their personal and financial data will be kept safe by us, the merchants, financial institutions and networks providing payment solutions. Have you, as a consumer, ever experienced the frustration and the headaches that accompany ID theft and/or compromised card situations? If you can answer no to that question, consider yourself very lucky.  

Fraud is a situation no one likes, yet we all realize it is part of the world we live in. It is up to us to lead with integrity as partners and implement required security services and fraud prevention measures so the consumers we all serve may enjoy safe, secure and delightful shopping experiences. We hope the information and ideas in this blog may help in your risk and security management.

What is malware?
Malware — or malicious software — continues to be a concern for merchants with online stores. With the recent increase in ransomware incidents, it’s important not to lose sight of threats posed by other types of malware like trojans and spyware, which can be harder to detect than the obvious signs that come with ransomware, leading to potentially undetected fraud and unauthorized data disclosure. One lucrative objective of malware can be compromising a business’s e-commerce channels.

E-commerce malware isn’t intended to directly infect users’ computers or phones when they visit the website. Instead, it’s malicious code that targets the website itself. This malicious code can be designed to be damaging to an organization’s e-commerce in various ways including:

  • Disabling a website. Malware can bring down a website by disabling necessary services on web servers, creating a large volume of network traffic that can’t be handled by web servers or the network, and various other ways.
  • Skimming payment data. Malware can be installed on web servers to obtain payment data to be used for fraudulent payments and withdrawals.
  • Obtaining other sensitive information. Malware can be designed to exfiltrate, or deceptively remove, customer personally identifiable information (PII), spending habits, and other sensitive data by exfiltrating that data elsewhere and selling that information to others.

How it works
Before criminals can place the malware, they must gain access to the online shop or website’s server. Often, it’s as simple as stealing or guessing administrator website login information. Attackers can also exploit out-of-date software or systems that haven’t been updated. Merchants should be vigilant in protecting personal data and servers.

Protect your organization
Criminals using malware as a means for fraud and data theft will typically exploit the weakest link, which is why it’s important for organizations to cover the basics of a cybersecurity program. Merchants can use the following tips to help protect themselves and their customers:

  • Regularly scan and test e-commerce sites for vulnerabilities, ensuring all patches or software updates are downloaded and installed as soon as they’re available. SHAZAM Secure offers the following services to assist with those efforts:
  1. External security assessment
  2. Internal security assessment
  3. Penetration testing
  4. Web application testing

Contact a SHAZAM specialist to find out more.

  • Monitor websites for suspicious activity. Check logs and opt to receive alerts any time a change is made.
  • Provide security best practices training to staff members and follow the designated procedures. Require a strong administrative passphrase (use a password manager for best results) and enable two-factor authentication for access to administer web services. Plus, limit how many staff members have access to administrative functions.
  • Ensure staff member training on how to identify social engineering attempts. Many organizations are now conducting simulated phishing campaigns for their employees to make sure they know how to spot phishing attempts. This technique has proven to reduce the success of real-life phishing attacks. SHAZAM can help test and train employees about the dangers of social engineering.
  • Follow all Payment Card Industry (PCI) Data Security Standards. Use a PCI-validated third-party service provider to store, process or transmit cardholder data.
  • Disable insecure versions of SSL and TLS encryption protocols.
  • Set up a web application firewall to block suspicious and malicious requests from reaching the website.
  • Maintain an incident response plan so your organization is prepared to respond to a malware attack if it occurs.

Suspect a compromise?
If a compromise is suspected, the merchant should contact its acquiring bank immediately for guidance and to ensure compliance.

SHAZAM’s information security program
SHAZAM takes the protection of our merchant and financial institution data very seriously. We have a comprehensive information security program that aligns with the control standard established by the Center for Internet security and adheres to the requirements outlined in the Payment Card Industry Data Security Standards (PCI DSS). 

Our program is audited annually both internally and by multiple external auditors to ensure controls are in place and operating effectively. Our security operations team regularly monitors security controls for any indications of an incident and a documented incident response plan is maintained to be followed if an incident occurs.

For more information, view the PCI website and the PCI Best Practices for Securing E-commerce guide. Please feel free to share this information with others who may benefit.


  1. fraud
  2. malware
  3. merchant

SHAZAM, Inc. and ITS, Inc. provide this blog for general informational purposes only. Our blog may be shared by a direct link wherein the content remains as originally presented and has not been altered. SHAZAM, Inc. and ITS, Inc. assume no responsibility for errors or omissions in the contents on the blog. By using this blog, reader agrees that the information published does not constitute nor is a substitute for legal advice which should only be sought from a qualified, licensed attorney. 


comments powered by Disqus