Data breaches are not a laughing matter. We’ve seen what seems to be an increasing number of retail data breaches, punctuated by what appears to be one of the worst breaches ever: the Equifax breach.
The truth is, almost half of all retailers have experienced a breach in the last year – some, more than one – and the vast majority say they consider themselves vulnerable to data threats.
This does not inspire confidence in anyone but the hackers who look for weak links. As Big Data continues to forge its way into the payments space, merchants are even more at risk than ever. There are regulations and requirements put in place to help protect sensitive consumer card information, but with emerging technology comes new vulnerabilities.
So what can merchants do to avoid being the next data breach headline? Let’s look at some of the best methods to improve security.
PCI DSS Compliance
First and foremost, online merchants need to be sure they are in compliance with the requirements set forth by the PCI DSS. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle payment cards and payment data associated with the major card brands. The standard is meant to put controls in place around payment card data to reduce fraud.
The PCI Security Standards apply to all merchants that “accept, process, store, or transmit credit card information” to ensure they maintain a secure environment and adequately protect sensitive data. Generally speaking, there are 12 listed standards that merchants must abide by; however, merchants must also adhere to compliance requirements depending on which level they fall into, which is determined by the number of transactions they process each year.
PCI compliance is not an option; non-compliant merchants face fines levied by banks and credit card institutions. These can quickly add up. Not maintaining compliance also has other costs, including the repercussions of an actual data breach and the subsequent reputational damage.
Next steps for merchants: Work with IT and other appropriate departments to review the 12 standards and ensure you have met all the requirements and are up-to-date on assessments.
There are two types of encryption: point-to-point encryption (P2Pe) and end-to-end encryption (E2Ee). The former is a standard put in play by the PCI Security Standards Council, while the latter falls below that standard. Both have the similar objective of increased security. Payment card data in instantly converted into code at the time the card is swiped. In this way, hackers cannot obtain true payment card information.
a standard established by the PCI Security Standards Council. Payment solutions that offer similar encryption but do not meet the P2Pe standard are referred to as end-to-end encryption (E2Ee) solutions. The objective of P2Pe and E2Ee is to provide a payment security solution that instantaneously converts confidential payment card (credit and debit card) data and information into indecipherable code at the time the card is swiped to prevent hacking and fraud through the merchant. The coded information is sent to the payment processor or payment gateway where it is decrypted via a secret key, leaving payment card data invisible to the merchant.
Next steps for merchants: Review the P2Pe Standard to ensure that the solution you use meets the requirements to be accepted as a PCI validated P2Pe solution
Tokenization is similar to encryption, but uses a token rather than a secret key to make payment card data indecipherable. Where encrypted data can always be reverted back to the original form, tokenized data replaces sensitive payment data with 1-to-1-mapped random data within a merchant’s environment. The token acts as a placeholder.
In this sense, tokenization actually reduces the scope of PCI compliance because they reduce the amount of cardholder data in an environment, and reduce the number of system components for which PCI DSS requirements apply. The degree to which each individual merchant’s scope is reduced depends on how payment card data is handled via technology and business processes.
Next steps for merchants: Review how and if your storage of tokens and payment card data complies with current PCI standards, including the use of strong cryptography. It is also possible to combine encryption and tokenization to comply with PCI Standards. Review the Tokenization Product Security Guidelines issued by The PCI Security Standards Council.
Data breaches paint a stark picture for the future of retail; hackers are becoming more sophisticated in a way that threatens to outpace security technology. That said, there are plenty of steps merchants can take to secure and safeguard sensitive payment card data. Starting with PCI compliance standards and fortifying from there is a solid plan. The key is to remember that security is a living, breathing thing that require evolution and maintenance.