How Merchants Can Mitigate Payment Security Risks: PA Interviews Dan Edmiston
Payments Africa recently sat down with Dan Edmiston, CEO of MyGate, a secure payment processing provider for global payments, to talk about security in the payments industry. Dan explains the various risks that merchants face when taking credit card payments and what the industry is doing in order to mitigate these risks.
There has been a lot of news about credit card breaches recently… What is the payments industry doing to protect merchants and consumers?
It has been a challenging year for acquirers, payment processors and merchants. Quite of few of the major breaches recently were related to card-present payment processing where card details were compromised while a purchase was being processed in the merchant’s network. For example, the security breach at US retailer Target, which led to over 40 million customers’ card details being compromised, was believed to have involved hacking into the retailer’s network that connects their point-of-sale terminals in their stores.
The increase in security breaches has led to a renewed effort by banks and industry associations to ensuring that merchants that store and process card data comply with PCI DSS. PCI DSS, or Payment Card Industry Data Security Standard, is a set of standards all merchants and payment processors must adhere to in order to ensure the security of stored and processed card data within all environments.
Who is imposing these standards and what are they?
PCI DSS was created by the PCI Standards Security Council which represents MasterCard, Visa, JCB International, American Express and Discover. Some examples of the standards imposed are regular monitoring and testing of networks and systems that carry payment card data, implementation of a company Information security policy, installation of firewalls to protect data, standards around employee password creation, and procedures around employee access to company systems storing payment data.
What are the risks that merchants face in storing card information?
Besides the fines and penalties imposed on merchants when there is a breach, a company risks devastating reputational damage which results in a loss in sales as customers lose confidence in a merchant’s ability to process their payments securely.
How can merchants mitigate those risks?
The two main areas of focus in card-not-present processing have been where the card details are being entered and where they are being stored. Many merchants think they are protected because their data is encrypted. However, cyber criminals are becoming increasingly more sophisticated and by simply relying on data encryption merchants can be left vulnerable and open to a security breach.
When it comes to the submission of card details, merchants can mitigate risk by opting for hosted payment pages, which allow them to have a customised payment page hosted within the payment processor’s environment. Since the payment page is hosted on the payment processor’s secure servers, all of the highly regulated security required for PCI DSS compliance is taken care of for the merchant.
When it comes to storage of payment details, I have always said that if your payment processor offers solutions that allow you to accept card payment without storing card details, then why take on the associated risk of storing them? If you don’t store card details, they can’t be stolen from you.
Merchants also need to understand where their business sits within the PCI DSS scope. Mature payment processors can help the merchant to understand this as well as advise on ways that a merchant can integrate with the payment processor to reduce risk and scope.
What are some of the new technologies being implemented and researched to strengthen security in payments?
The biggest trend we have seen around the strengthening of security is the use of tokenisation for card- not-present payment processing. Tokenisation eliminates the storage of card details by the merchant while still enabling them to process card payments by replacing the card details with a unique token. A major driver for the move to tokenisation has been merchants’ realisation that offering other credit card payment options that require storage of card details is attractive to the customer. Some of the credit card payment options driving tokenisation are recurring payments, 1click payments and subsequent card transactions.
How does tokenisation work?
When a merchant uses tokenistation, credit card details are replaced by a unique token and the credit card data is then stored safely in a credit card ‘vault’. These secure ‘vault’ databases are maintained under strict conditions compliant with the PCI DSS. Tokenisation removes a cardholder’s details from the transaction process so that when a subsequent transaction is processed only the token is required.
Are there circumstances that would call for merchants to store card information?
No, none whatsoever. If your payment processor does not offer solutions that eliminate storage of card details from your environment – get a new one.
What developments in payment security do you predict over the next 3 years?
With deadlines for implementation of EMV in the US by 2015, we are going to see a shift in fraud moving from card-present to online. In South Africa, there is a big push for all merchants and cardholders to be enrolled with 3D Secure, which is an additional security layer for online card transactions. The additional security layer essentially requires an additional step for user authentication through the use of a one-time password (OTP). This reduces the risk of a card’s details being used online even if the data is compromised.