RiskTech Forum

Fiserv: Security Guidelines and Best Practices for Retail Online and Business Online

Posted: 9 January 2013  |  Source: Fiserv

Evolving security threats require the use of evolving controls and methods  to protect all transaction activity issued by retail and business online  banking customers.  The Internet has become the preferred, essential channel for banking transactions, but that evolution has brought about a dramatic increase in the number of attempts to gain access to critical banking data and in the sophistication of those threats. These online banking security guidelines and best practices are furnished as part of Fiserv’s ongoing commitment to provide you with tools, information and services that will help your financial institution operate as securely and efficiently as possible. Based on our review and analysis of the changing environment, we endeavor to provide solutions that protect against and minimize fraudulent access to that information, and to provide guidance that improves our clients’ ability to secure systems, customer data and deposits. This document offers certain recommendations based on online security best practices for consumers and businesses, as well as guidance specific to Retail Online and Business Online, two of Fiserv’s most popular and widely used Internet banking solutions.

An Online Banking Security Overview
Evolving security threats, both internal and external, require the use of new controls and the latest methods to protect all transaction activity issued by retail and business online banking customers. Multifaceted and layered security tools and procedures strengthen a financial institution’s defenses against these threats by providing multiple checkpoints at different levels to ensure transactions are authorized by a valid user.

Verify that your security practices are stringent by utilizing a strong, multi-layered security strategy, including the use of tokens, one-time passwords, or out-of-band systems to gain access and initiate external fund transfers. A strong security strategy requires that all high-risk transactions be reviewed and authorized by the customer, and that the financial institution use industry-standard practices to validate the legitimacy of those transactions. A layered security policy should also take into consideration where your data is stored, administrative staff, and the physical assets of the organization, including laptops, tablets, mobile phones, WiFi and access to all facilities.

Securing technology systems and protecting the data and assets of customers remains one of the highest priorities for any financial institution. As your technology partner, Fiserv offers advanced security to help you protect your systems and customers, along with useful guidance resulting from the depth and breadth of our experience with the financial services industry and the technologies that drive it. Please contact your Fiserv account manager or support team for additional guidance regarding products and procedures.
As a Fiserv client using Retail Online and Business Online to serve your customers, this best practices guide offers a set of recommendations intended to help you successfully navigate the complexities of financial and information security, and provide the most comprehensive protection possible. This is not intended to be a direct response to any laws or regulatory guidance. It is an overview of our review of the current security environment and select solutions available from Fiserv. To be successful, security measures and compliance must always be evaluated, determined and managed by your financial institution.

Recommendations for the Retail Online and Business Online Internet Banking Solutions

• Regularly review and update your organization’s security risk assessment, including policies and procedures, to be as prepared as possible to confront new online threats.
• Know your customers. Review their previous transactions by inquiring into their transaction history or historical transaction reports. Carefully grant access to money movement solutions, selecting only those customers you know and have a history with.
• Employ multiple and layered security tools. • Keep operating systems up to date on all recommended patches. Urge your customers to follow this same practice to protect their computers.
• Utilize firewall and intrusion detection services as an additional security layer for blocking and identifying potential online attacks.
• Install and use up-to-date antivirus software (including anti-spam and anti-spyware programs) to prevent, detect and remove malware of all kinds. Urge your customers to follow this same practice to protect their computers.
• Educate your employees and customers about online security measures. Track successful employee participation and reward customers for protecting their own systems.
• Utilize an effective Multifactor Authentication (MFA) process. For customers using MFA Device Security, we strongly recommend use of the emailed  one-time password (OTP) as the challenge method, rather than the question-and-answer (challengeresponse) method.
• Use of a transaction monitoring product provides anomaly detection, for both the log in and at the transaction level. The MFA Device Security 2.0 release (Q1 2013) upgrades clients to the latest RSA version and includes separately licensed transaction monitoring features.
• Use a centralized fraud detection network such  as FraudNet™ from Fiserv to help protect your  bill payment customers from fraud before they  are affected.
• Utilize positive pay and ACH filtering products to provide your customers with positive pay, debit blocks and transaction frequency limits on specific accounts.
• Require frequent password changes for both employees and customers.
• Premier® and Precision® clients using Retail Online should enable Business Process Manager workflows that require procedures and additional controls for all address maintenance performed by the customer.
• Utilize the Online Banking Risk Assistant, a browserbased tool offered in partnership with Beavercreek Marketing (http://www.bankall.com) that enables you to assess your online products and assign accurate risk ratings for each, as called for by FFIEC recommendations.


Please register or log in to download the report.