Payment security must be front of retailers’ minds
Cyber Security With consumers using different payment methods to buy products and services retailers must work harder to protect customer data from the hackers.
Hearing global leaders discuss cyber security at the 2017 World Economic Forum’s annual summit in Davos convinced Jeremy King that this was a topic that the politicians and the business world were finally taking seriously.
The international director of the Payment Card Industry (PCI) Security Standards Council says no government or organisation, whatever its size, can afford to ignore the growing threats.
“Criminals used to just go for credit card data they could turn into money, but now they have different methods of stealing payment details to fund their lavish lifestyles,” says King.
He says the problem is getting worse as more countries switch to chip cards and ecommerce increases the number of payments made when the customer is not present. By 2019 it is expected that 2bn people around the world will buy goods and services online.
“Criminal hackers will seek out the lowest hanging fruit. They use computer programs that perform exhaustive searches – seeking and attacking any website that is misconfigured or has exploitable vulnerabilities. Keeping hackers at bay requires due diligence.”
Hackers crave cardholder data because once they obtain the Primary Account Number (PAN) and sensitive authentication data they can impersonate the cardholder, use the card and steal someone’s identity.
There are serious implications for any business that fails to protect customers’ payment data.
A breach can lead to a loss of consumer confidence and trust, lower sales, having to pay for new payment cards, fraud loses, higher costs of compliance and possible legal bills and potential fines.
“Every online merchant needs a set of security standards, and although a business can never protect payment data 100% some retailers are not even 70% secure,” says King.
The PCI Security Standards Council advises merchants to:
Know the location of their data and use a data flow diagram to understand where it sits across various networks and systems
Not store data they don’t need. Cardholder data should be isolated away from non-cardholder environments to reduce risks and boost compliance
Use the latest version of encryption such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption for any website that accepts credit card data
Work with their service provider to secure cardholder data. This can be valuable for small merchants
King says the European Union’s General Data Protection Regulation (GDPR) will force organisations to do more to protect customer’s payment details. The regulation comes into force in 2018.
Smaller business support
“One of the biggest challenges is to help small merchants who are moving into the ecommerce space but do not have the expertise to understand the cyber risks,” he says. “They might well be selling more goods but they are moving into a minefield.”
In response the PCI has produced the Prioritized Approach which provides six security milestones that will help merchants incrementally protect against the highest risks while on the road to PCI Data Security Standard compliance.
“The first thing they need to do is secure their network. Do they know how their business is connected to the internet so they can protect payments and customers information?”
The PCI says the industry is changing incredibly fast because of the pace at which payment technology is moving. There has been a rapid shift to contactless, mobile payment products such as ApplePay and even biometrics.
“People want fast and simple payments but we have to ensure merchants are offering a good level of security,” says King. “The industry is always playing catch-up with the criminals who are collaborating and sharing information.”
He says companies can survive any data breach if they manage it well. This means having a robust incident response plan that notifies them quickly when they have been hacked, informs customers and third party contracts effectively and shuts off the breach.