Arc XP Sales: Security best practices

Note

Much of the concept and ideas will follow the Shared Responsibility Model mentioned in the Identity section.

This document provides an overview of the shared responsibility model with respect to card stuffing attacks, describing the collaborative efforts between the Arc XP team and yourself to ensure the security of your sites and data. It begins by outlining the proactive measures taken by our team to safeguard your digital assets. Subsequently, we delve into a prevalent threat affecting our customers: credit card stuffing attacks. To conclude, we articulate the shared responsibility model within the specific context of these security challenges, offering insights into collective strategies for robust protection.

Credit Card Stuffing Attacks

Credit card stuffing attacks are fraudulent activities that involve using the payment process to determine if stolen card numbers are valid or active. These payment requests often originate from botnets, similar to credential stuffing attacks. As a result, many of the same security approaches are applicable here.

However, it is also possible for these attacks to be carried out on a smaller scale by human users. This situation can be much more difficult to detect and prevent, as many of the controls for bots are not effective against human users.

It is important to note that credit card stuffing attacks are not application security attacks. Instead, they are a type of fraud that you can prevent by using security features that payment gateways provide. By doing so, you can help protect yourself and your customers from potential financial loss.

These types of attacks are often detected by a large volume of failed purchase transactions during a short period of time.

Shared Strategy for Stuffing Attacks

To counter the impact of stuffing attacks requires action on the part of both the Arc XP team and you as a customer and user of our platform. The strategy for stuffing attacks comprises two components: detection and response.

The responsibility for detection lies primarily on the Arc XP team. We monitor traffic and behavior on our platform 24/7, and most attack attempts are thwarted as soon as they begin. If an attack requires a business decision from you, we will notify you. Exceptions, in which you can monitor attacks for yourself are explained in the monitoring sections that follow.

The responsibility for response lies upon you as a user of our platform. There are a range of responses available to you depending upon the attack including, but not limited to:

• You may establish your own monitoring system in collaboration with your payment processor.
• You may choose to work with your payment processor to raise the bar on credit card transactions with a solution like reCAPTCHA to minimize the impact of automated credit card stuffing attacks

Note

We highly recommend enabling reCAPTCHA for checkout flow if you are facing credential stuffing attacks.

We will inform you when an attack has impacted your end-users or payment processing to the point where you need to take action. The action you take is up to you.

Monitoring and Response

Monitoring for Credit Card Stuffing Attacks

The Arc XP team does not have a relationship with your payment processor, so we can only see credit card stuffing attacks indirectly. In our platform we have monitoring and alerting in place to detect abnormal payment failures and suspicious use of the Arc XP Subscriptions features. If we identify a persistent attack requiring your intervention, we will promptly notify you. Such occurrences typically arise during prolonged assaults that might lead to supplementary charges from your payment processor or potentially affect your standing with them.

We recommend that you institute your own monitoring, in coordination with your payment processor. Common metrics to monitor and alert upon are:

• High ratios of failed payments
• High rates of payment declines
• Payment processor fraud detection alerts

Responding to Credit Card Stuffing Attacks

A credit card stuffing attack is successful for an attacker if a credit card transaction succeeds and thereby confirms the validity of stolen credit card data. If we detect a credit card stuffing attack on your site that requires action on your part, we will inform you so that you may put mitigations in place.

Mitigation Techniques

We recommend that you harden your site to make these types of attacks less likely to succeed.

The most effective mitigations for credit card stuffing attacks include:

• Upgrading your service to include Akamai Bot Manager.
• Enable reCAPTCHA as part of the checkout flow
• Working with your payment processor to understand and implement their anti-fraud features

Note

If you’re operating in Europe, utilizing Stripe’s 3D Secure (3DS) can be an effective strategy to mitigate the risks associated with credit card stuffing attacks.

Conclusion

This document outlines the shared responsibility model between Arc XP and you, with a focus on credit card stuffing attacks. The shared strategy involves detection and response, with outlined monitoring mechanisms and mitigations. Embracing this model empowers you to make informed decisions, fostering ongoing collaboration for a robust defense against cyber threats on the Arc XP platform.

When it comes to stuffing attacks:

• Arc XP will monitor its platform and will notify you if an attack is detected for which you need to take action
• You and your organization are responsible for taking supplementary measures to monitor your platform (including working with your payment processor) and acting on this notification to repel, mitigate, or accept the risk of the attack