Merchants: Protect your business against malware

posted by Amanda Holmgaard on Tuesday, September 4, 2018 in SHAZAM Blog

Malware — or malicious software — is increasingly becoming a concern for merchants with online stores. E-commerce malware continues to be a fraud problem, attacking merchant websites to steal customer data.

E-commerce malware isn’t intended to directly infect users’ computers or phones when they visit the website. Instead, it’s malicious code that targets the website itself.

Think of it as an online version of a skimming device — the malware’s goal is to collect personal information and card data that can then be used or sold to other criminals. This appeals to fraudsters, because it allows them to steal information at a physical distance from the merchant.

How it works

Before criminals can place the malware, they have to gain access to the online shop or website’s server. Often, it’s as simple as stealing or guessing administrator website login information. Attackers can also exploit out-of-date software or systems that haven’t been updated. Merchants should be vigilant in protecting personal data and servers.

E-commerce malware can be hosted remotely or locally. Locally hosted malware is placed directly into a merchant’s website code. Malware that is hosted remotely lives in a separate malicious domain and is loaded by the merchant’s website. Once activated, a script funnels live payment data to the criminal’s collection server or a command-and-control domain. Both the customer and merchant are typically completely unaware of this theft.

Merchants can use the following tips to help protect themselves and their customers:

  • Regularly scan and test e-commerce sites. Make sure all patches or software updates are downloaded and installed as soon as they’re available.
  • Monitor websites for suspicious activity. Check logs and receive alerts any time a change is made.
  • Ensure staff members are trained in security best practices and follow the designated procedures. Require a strong administrative passphrase (use a password manager for best results) and enable two-factor authentication. Plus, limit how many staff members have access to administrative functions.
  • Follow all Payment Card Industry (PCI) Data Security Standards. Use a PCI-validated third-party service provider to store, process or transmit cardholder data.
  • Set up a web application firewall to block suspicious and malicious requests from reaching the website.

If a compromise is suspected, the merchant should contact its acquiring bank immediately for guidance and to ensure compliance.

For more information, view the PCI website and the PCI Best Practices for Securing E-commerce guide.


  1. malware
  2. merchant

SHAZAM, Inc. and ITS, Inc. provide this blog for general informational purposes only. Our blog may be shared by a direct link wherein the content remains as originally presented and has not been altered. SHAZAM, Inc. and ITS, Inc. assume no responsibility for errors or omissions in the contents on the blog. By using this blog, reader agrees that the information published does not constitute nor is a substitute for legal advice which should only be sought from a qualified, licensed attorney. 


comments powered by Disqus