Best Practices for Acquirers to Monitor and Remediate Malware on Merchant Websites

Imagine a malware attack on one of your merchants that results in their website going offline, sensitive data in jeopardy and the prospect of significant reputational damage due to the incident. This stress may extend to third parties associated to the merchant in the payment stream if card data is at risk – As the acquirer, this could directly impact your business.

It’s unlikely that a merchant will be adequately prepared for a threat of this nature. This is due to a large array of factors including lack of time, lack of security budget, lack of security skills, pressures to adopt emerging technologies, and many other factors. If the merchant has failed to prepare well, their ability to remediate the malware will suffer too. The merchant will likely be undergoing a full rebuild of their web server environment during the remediation process.

Preventing malware is becoming a high-ranking responsibility of merchant IT environments of all types. Malware is malicious code that hackers use to compromise a computer, network, or even a website. The purpose of malware ranges, but commonly is designed by hackers to disrupt operations or steal sensitive data. Disruption of merchant websites via malware is more pervasive year over year, especially as more merchants migrate their business online.

Here are SecureTrust’s best practices for responding to malware on merchant websites:

  1. Routine Website Scanning: Outside of proactive security measures, when malware does impact a website, early detection is paramount in risk mitigation efforts. Utilizing an external website scanning tool that frequently monitors for the presence of malware and immediately notifies the site owner upon detection is highly recommended.

  2. PCI Compliance: In combination with best practices provided by the PCI standards and vulnerability scanning, attention to maintaining compliance is essential in protecting websites from the threat of malware.

  3. Stay up-to-date: Ensure that your merchants are keeping their website platforms updated. Platform providers often put out updated versions, which include security patches and upgrades, helping secure the merchant’s website environment from a potential attack from malware.

  4. Third-Party Content Provider Due Diligence: To both prevent and remediate malware events, merchants are encouraged to adopt best practices in vetting the third-party content providers they install on their website. The most common type of third-party content would be advertisements, which require code to be implemented on the site, potentially disguising malicious code (malware). Having a process to carefully review the third party content provider prior to implementation is crucial.

  5. Change passwords: A quick and simple prevention tactic for preventing malware is to frequently change passwords to key environments and platforms on the merchant’s website.

  6. Communications: Frequent and effective outreach efforts will help equip merchants with the knowledge to prevent the threat of malware, as well as provide proactive information for merchants to understand how to respond if they are compromised by malware in the future.


Written by Alexander Kaluski

Alex Kaluski is a Product Manager at SecureTrust. Alex has six years of experience at SecureTrust managing card compliance and risk mitigation solutions. His focus with the solutions managed is to provide products for both payment partners and their merchants.