How to keep customer data safe

So, why is payment security so hard?

Retailers may have many systems and networks running across hundreds or thousands of store locations, and many times that number of connected payment terminals. 

The industry is awash with complexity. Large staff numbers, seasonal workers and high turnover rates, create training issues. New stores, new systems, regulations and upgrades contribute to constant change. All of this breeds vulnerability.

Doesn’t PCI stop data fraud?

While the Payment Card Industry Data Security Standard (PCI DSS) has helped to reduce payment fraud at the sales point. It's only as good as its weakest link. For PCI to work, it has to be maintained. Obtaining PCI compliance won’t keep retailers safe for long if security procedures are not kept-up and processes and staff-practices regularly audited.

Up to 80% of merchants fail PCI compliance at interim assessments[iv], which means they are effectively failing to sustain the security controls they have put in place.  This could be because of the financial and operational burden PCI can place on organisations – and other pressures on IT teams for time and resource. Especially those with disparate legacy systems and reduced staff. 

Encryption can reduce risk

One of the best ways to ease PCI burden and safeguard payments is using PCI Point to Point Encryption (P2PE).  Payment details can only be opened at the end of the transaction chain, by the acquirer who has an encryption key.

With P2PE, the merchant doesn’t store or handle unencrypted customer payment data, so it can help reduce PCI scope. Payment service providers here in the UK have been pioneers of P2PE and Verifone has been supplying encrypted payment solutions for over a decade. UK retailers have been amongst the first globally to have benefitted from this and seen significant simplification and cost savings in achieving PCI DSS compliance.

So, what else can retailers do to keep their customers’ payment data safe?

Here are Verifone’s top tips for reducing vulnerability at the POS:

1. Outsource to the experts. Find a payment service provider that will take care of complexities of payment acceptance, and provide secure tokens so that you can focus on retailing and minimise your compliancy efforts.

2. Make sure your terminals are tamper-proof and tamper-resistant and comply with up-to-date PCI-PTS (PIN Transaction Security) standards. 

3. Use encryption. Make certain any payment solutions and services are certified against the latest PCI P2PE standards. Ensure that P2PE is implemented correctly and employ a qualified security assessor (QSA) to validate it.

4. Protect any sensitive data stored in cloud service environments by ensuring all gateway services – whether your own or via a third party – are compliant with PCI-DSS (Data Security Standard).

5. There is no need to store live card data to deliver frictionless ecommerce and omnichannel services such as one-click or click and collect.  Use secure ‘Tokens’ to track customers without compromising card data.

6. Use Tokenisation to perform in-house velocity checking.  Look for fraud patterns and protect against them.  Decline transactions where there is suspicious card usage.

7. If you’re running an ecommerce site and using a hosted payment page, make sure sensitive data is not entered directly into your merchant system.  Particularly, if you’re trying to reduce scope, complexity and cost of PCI compliance.

8. Check what additional fraud screening services are available from your provider. These can help to protect online fraud and reduce the level of chargebacks.

9. Make sure there's seamless integration between Point of Sale and payment systems to reduce opportunities for ‘double-keying’ fraud by staff.

10. Make sure your networks are secure. Use and maintain firewalls and manage password effectively – NEVER rely on vendor default passwords or security settings. Use and regularly update anti-virus software.  Know who has access to applications and at what level. When staff change, reset access controls.

New regulations for 2018

The Payment Service Directive (PSD2), will bring new requirements for Strong Consumer Authentication (SCA). It will have little impact in-store as EMV cards already meet the minimum two-factor authentication requirements. Most contactless transactions are also exempt. However, there will be new requirements for online payments with planned changes to major methods of payer authentication e.g. 3D Secure 2.0. Online merchants will need to make certain that these are properly implemented.

The EU’s GDPR (General Data Protection Regulation) comes into force in April 2018. Retailers should talk to their payment service providers to verify that they have plans in place to protect sensitive data beyond cardholder and verification data such as PIN numbers.

Verifone is a global leader in payment acceptance and a pioneer in card security. It was one of the first vendors to implement P2PE.

For more information contact info-emea@verifone.com. 

[i] NTT Group 2016

[ii] https://brc.org.uk/media/116322/10081-brc-retail-crime-survey-2016_v6.pdf

[iii] Centrify, June 2016

[iv] Verizon 2016 Data Breach Investigation Report