Why companies need a two-step plan to secure credit card transactions
It’s the latest in a long line of cybersecurity incidents involving a well-known brand: In April, Chipotle Mexican Grill notified customers that it detected "unauthorized activity" on a credit card payment processing system. This put the restaurant chain in a position no company wants to be in -- recommending that customers "closely monitor" their bank statements for unauthorized charges.
With the incident, Chipotle joins the ranks of high profile organizations that have suffered breaches of their payment processing networks. The impact proves damaging: A study from the Federal Reserve Bank of Boston found that only 35 percent of consumers believed their personal information was secure during credit card purchases before the Target breach in 2013. But after that breach, this low level of confidence plunged even further to 24 percent.
Clearly, these negative sentiments can lead to lost sales. As such, it’s essential to develop the most effective payment processing security policies and practices -- and communicate what you’re doing – to preserve brand reputation and customer loyalty. In the past, organizations invested heavily in traditional, perimeter-focused cyber defense tools such as firewalls and anti-malware protection to "keep the bad guys out."
While these solutions still serve a critical purpose and are always best practice, they are only one component of a complete security architecture. Even if you thwart outside adversaries from infiltrating your network, for instance, you remain vulnerable to threats from insiders such as disgruntled employees, ill-intended contractors and other parties with access to your information. More than two-thirds of security professionals, in fact, consider insiders as their greatest security threat, according to recent survey from security firm Bomgar.
With this in mind, there are two key steps organizations can take to protect payment data: Encrypt the credit card data with an external PTS (PIN transaction Security) and SRED (secure reading and exchange of data) certified payment device, and then enable tokenization.
Through encryption, you ensure that no "clear text" of credit card information is transmitted when you process sales. Customers swipe their credit cards, insert their EMV chip, tap their phone for Apple Pay, etc. at a point of sale (POS) device and the personal data -- including credit card account number, three-digit Card Verification Code (CVC) and any other sensitive detail -- is encrypted before it enters the merchant environment.
Then, via tokenization, the encrypted credit card information is replaced with a "token," a jumbled string of alphanumeric code that is useless to hackers accessing it. To them, it’s just a sequence of numbers and letters. They can’t make sense of it, much less use it to connect to the actual credit card data because the merchant environment that they’ve compromised does not have access to the clear cardholder data. Meanwhile, companies can store a representation of customer card information within their systems to maintain routine operations (i.e. processing returns to credit cards) with significantly lower risk.
With this two-step process, organizations are protecting data where it is most vulnerable: encrypting it in transit -- from POS terminal to payment processor and back -- and tokenizing the data at rest -- when it’s in storage on company networks.
There are many reasons why a company should consider this two-step approach, including:
The protection of revenues and customer base. Corporations lose $158 for every lost or stolen record, according to research from IBM and the Ponemon Institute, an information security research firm. This includes loss of business due to reputational damage and customer turnover.
To reduce the compliance burden. The Payment Card Industry Data Security Standard (PCI DSS) sets regulatory requirements for processing credit card transactions. For many merchants, this involves meeting the 329 requirements outlined by the PCI Security Standards Council in a standard Card Present merchant environment. But with a PCI validated Point-to-Point Encryption solution, it drops a merchant’s requirements to 33 controls. Obviously, that’s going to save your business immensely on compliance-related costs and time.
To avoid a credit card transaction shut down. While it’s a rare occurrence, the PCI Security Standards Council, which is made up of the major payment card brands of Visa, MasterCard, Discover and American Express, has the authority to halt credit card transaction processing while it investigates whether or not your company adequately safeguards payment card information. Suffice to say, for most businesses, such a scenario would translate to massive and possibly insurmountable losses.
Let’s face it: No company wants their name to be synonymous with a breach. But if recent history has taught us anything, it’s that every organization should be prepared for an attack. As such, companies must protect data in transit from start to finish, and at the point where it resides in an effort to render sensitive data useless. Through encryption and tokenization, you make your information useless to hackers and allow your business to conduct sales seamlessly and safely -- with the hard-earned trust of your customers fully intact.
Matt Donnelly is the Vice President of Security and Solutions at FreedomPay. Serving as the company’s security expert, Matt drives enhancements and product development for FreedomPay’s portfolio of PCI validated payment solutions, and advises partners and clients on industry trends, payments security and adherence to the PCI Council’s strictest requirements.