If you're operating an e-commerce website, your payment gateway is the heart of your business.

It's how people give you money so you can deliver your product or service. But sometimes, bad things happen, and that critical infrastructure can come under attack.

I want to walk you through a recent customer experience that took down their payment gateway, and the steps we took to get their e-commerce store back online quickly. If you run an online store, this is for you.

There are many types of payment fraud that can happen online, but one of the most common is called a BIN attack.

A "BIN" (Bank Identification Number) is the first six digits of a credit card, which identifies the bank that issued it.

A BIN attack is when fraudsters get their hands on thousands of stolen credit card numbers and use automated bots or scripts to test them against a payment gateway. Their goal is to see which cards are active and can be used for fraudulent purchases. To do this, they don't need to break into your website; they just need a public-facing payment form or link they can hit with these automated scripts.

In our client's case, bots were hammering the payment gateway of one of the big four banks here in Australia. When these things happen, there's always a moment of panic. At Wolf IQ, we work with hundreds of customers, so we see these incidents regularly and follow a repeatable set of steps to protect our clients' payment gateways.

When an attack occurs, the goal is to get back online securely and quickly. Here is the framework we use to diagnose and resolve the issue.

1. Limit Access and Visibility

Even though the attack isn't on your website directly, you can make the path to your third-party payment gateway much more secure.

The primary goal is to stop the bots from ever reaching it.

• Implement reCAPTCHA: This is a simple but powerful tool that checks if a user is human before handing them off to the gateway. It's a critical first line of defense against automated scripts.
• De-index Your Payment Pages: You can and should hide these sensitive pages from search engines. By adding a "noindex" tag, you ensure people can't find your payment or checkout pages directly from Google search results, making it harder for bots to discover them.

2. Lean On Your Payment Provider

Ultimately, the responsibility for securing the payment gateway lies with the payment provider.

You want to partner with a provider who takes security as seriously as you do.

• Enable All Security Features: Take the time to turn on all the recommended security features your provider offers. This is your best defense, and it shows you've taken all reasonable steps to protect your store.
• Have a Support Channel: If something goes wrong, you need to be able to get on the phone quickly and talk to a real person. A good provider offers responsive support to help you resolve issues.
• Request a New URL: If your existing payment gateway URL has been compromised, your provider can often issue a new, clean one. You can then update this on your website, instantly cutting off the attackers' access to the old link.

3. Investigate the Root Cause

Once the immediate threat is neutralized, you need to verify what happened.

All websites keep activity records, often called "logs." These logs show a list of IP addresses that accessed the site, where they're from, what pages they visited, and what actions they took.

By checking your website logs (or looking at tools like Google Analytics), you can identify suspicious activity.

You might find that a huge volume of traffic is coming from a specific country or IP range. With this information, you can take defensive action, such as blocking all traffic from countries known to be hotspots for fraudulent activities. This helps prevent future attacks from the same source.

We were able to get our customer's payment gateway up and running again pretty quickly, but it's always a scary experience.

The truth is, nothing in technology is ever 100% secure. Risks will always exist, and things will inevitably go wrong.

The most important thing is to have a good defense in place and a reliable partner you can count on.