Employees examining a changing threat landscape for acquirers and merchants - PCI DSS.

SecureTrust has been fielding a lot of feedback from our acquirer community regarding the changes and new challenges to their businesses resulting from the COVID-19 pandemic. The most urgent of these challenges is the sharp rise in attacks from criminal organizations taking advantage of business shutdowns. It is very important to maintain vigilance in cybersecurity operations during the shutdowns to protect your most valuable data from attacks.

With the shift to remote working for most IT operations, it becomes even more critical to be mindful and aware of phishing attacks from criminals posing as remote workers, executives, or even vendors. Trustwave recently published an article with live examples of phishing attacks that intend to trick potential victims into transferring or redirecting money to attackers. We expect to see similar campaigns targeting acquirers using various themes.

We are hearing from many of our acquiring partners that their merchants are going into hibernation until they are allowed to resume business by their respective governments. We are also seeing that many businesses are shifting from card present to card not-present e-commerce operations using delivery services to continue operations.

Employees examining a changing threat landscape for acquirers and merchants - PCI DSS.

If your merchants are shifting to e-commerce, it is important to maintain PCI DSS compliance for these new e-commerce deployments and track that compliance in your PCI program.

Criminal organizations are taking advantage of poor security to compromise and takeover gateway accounts. We encourage acquirers to monitor for dramatic increases in transaction volume, refund volume, and chargebacks. Pay very close attention to any merchant in a category that would be most at risk during a government shutdown, such as: travel, gyms, salons, restaurants, sports, delayed delivery services, etc.

We are also seeing a rise in fraudulent product claims. In particular, products that claim to either test for, or cure, COVID-19. Currently there is no approved cure or home-testing method that is cleared by US regulators for home sale. SecureTrust has added detection for these products to our Web Risk Monitoring (WRM) product to protect our acquiring partners from merchants selling such items illegally.

Employees examining a changing threat landscape for acquirers and merchants - PCI DSS.

If you work directly with the card brands, many of the card brands are delaying product rollouts and program assessments.

We have seen reports that MasterCard, Visa, American Express, and Nacha have all delayed program rollouts and assessments due to the ongoing crisis. Many card brands are suspending certain fraud assessments, especially for travel & entertainment, while the fallout from the government shutdowns causes events and travel to be cancelled.

As we all work through the process of defeating COVID-19, we will continue to monitor how these threats develop and keep you all informed.


SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.

CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.


Written by Jon Marler

Jon Marler is a Product Manager at SecureTrust with a true passion for information security and more than a decade of experience in information security, payment processing, risk management, software development, and telephony. Jon spent eight years working with some of the largest acquirers in the world, helping them build online payment gateways and risk management platforms before joining SecureTrust. Aside from his primary role with SecureTrust, Jon also sits on the EC-Council ANSI Scheme committee as a trusted advisor, has participated in the PCI SSC SIG focused on addressing cloud computing, and is a member of the ETA committee for mobile payments. As a result of his long-standing commitment to open source software, Jon has offered his expertise as a package manager for the Debian GNU/Linux OS distribution since 1998.