This article was originally published in Elavon’s Payment Smart newsletter. The Washington Hospitality Association’s payments processing system is backed by U.S. Bank/Elavon.

The term “digital skimming” describes a relatively new form of digital data theft caused by cyber-attacks on commercial websites. In the simplest terms, an attacker infects a website with malicious code (malware) known as Magecart that “skims” payment card information while it is being entered into a website during payment. The merchant and the cardholder are unaware that their information has been compromised.

A study at the University of Maryland discovered that there is a cyber-attack after every 39 seconds.2  Digital skimming incidents have become more common in the last decade, with more than 40,000 domains compromised in 2018.3 Customers with accounts that have been compromised by cyber-attacks could have personal information such as payment details, social security, and bank account numbers stolen by unauthorized users.4

There are currently no silver bullets to prevent these attacks, but Elavon’s Information Security team recommends the following actions to mitigate risks:

  1. Web server and application plug-ins should stay up-to-date to maintain their performance and stability. If your website is run through a web-hosting company, find out if they offer automatic updates, or give you the option to update your software on your website. If your website is not maintained by a web-hosting company, you will need to update its plug-ins to stay secure.
  2. Your company’s website content should be reviewed regularly to detect software that could infect your website with system vulnerabilities that could lead to data theft.
  3. Merchants should check their websites frequently for tampering. If you detect any unauthorized changes you should:
    • Shut down your website temporarily. While your website is under maintenance, back up any data using a back-up tool. A back-up tool will create duplicates of computer files that can be used for restoring the original files.
    • If your website is run through a web hosting provider, contact them immediately. They should assist you in locating any vulnerabilities and removing the malware from your website.
    • Change all passwords related to your account.
    • Run a full virus scan using anti-virus software if your web hosting provider has not done this already.
    • Warn your users that your website has been hacked and recommend that they change their passwords to your website.
  4. If you believe that your website has been breached, make a list of any unauthorized activity, with details documented. Report breaching incidents to your local police, as well as the Internet Crime Complaint Center. The ICCC works with the Federal Bureau of Investigations and the White Collar Crime Center to document illegal hacking attempts.5

By using these tips, merchants can create an additional line of defense that will drive a wedge between their business and the illusive digital skimmers who want to access their customer and payment information. The Washington Hospitality Association’s payments processing system is backed by U.S. Bank/Elavon. Click here to learn more about the program.

2https://www.marketwatch.com/story/100-million-capital-one-customers-were-hacked-everything-you-need-to-know-about-data-breaches-but-are-afraid-to-ask-2019-07-30

4https://readwrite.com/2019/06/25/a-few-critical-steps-to-take-if-your-website-has-been-hacked/

5https://smallbusiness.chron.com/report-illegal-website-hacking-48127.html

3https://www.computerworld.com/article/3427858/what-is-magecart-and-was-it-behind-the-ticketmaster-and-ba-hacks-.html