Last year marked significant changes for security and fraud prevention in the U.S. payments industry, in particular the House Financial Services Committee’s recent decision to advance the Data Security Act and the activation of EMV chip rules that have been advocated by security professionals for years. While these are steps in the right direction, securing the payments sector will be even more challenging as new payment methods expand, mobile payments usage grows and criminals look to reap the rewards of new attack vectors.
What does all that mean for the industry over the next year? Here are my top predictions for payments security, as well as the challenges and opportunities businesses will face this year as these predictions become reality.
- EMV standards won’t de-value PCI data for criminals.
Some believe that stolen PCI data will diminish in its black market value as EMV becomes widespread across U.S. retailers. Not so. EMV is purely designed to authenticate the payment card at the time of acceptance, but does not protect the sensitive PCI data as it is transmitted to the payment authorization network. While the creation of bogus EMV cards is certainly very difficult, stolen card information may still be used to perpetrate fraud in magstripe and eCommerce payment acceptance environments, and criminals will continue to buy and sell PCI data on the black market.
EMV has a positive effect on payment fraud prevention, but does not address data security. Payment accepting businesses should strive to protect all sensitive data at the moment of acceptance. Using data-centric security, such as point-to-point encryption (P2PE) and tokenization, preserves the format of the data while protecting it so that it can be stored and exchanged between parties safely.
- Security of the data itself needs to be of equal, or greater, priority than EMV.
It is important to note the difference between data security and fraud prevention. EMV is designed to prevent fraud – fraudulent cards or fraudulent users of cards – from entering the system. Data security is the safe transmittal of accurate, valid payment information through the payment process. EMV does not help with the safe transmittal and ultimate storage of those card values.
Despite the growth of EMV across the payment ecosystems of the world, data security projects need to be weighted at an equal or higher priority than EMV adoption, because financial and reputational impacts of data breaches are much more significant than that of individual fraud instances. The costs in resolving a data breach are enormous compared with fraud. Typically fraud represents a low percentage of overall transactions, averaging anywhere from a fraction of a percent up to 5 percent of sales. This amounts to minimal financial exposure when compared with the cost of a data breach. Encryption or tokenization eliminates the consequences of a data breach, and thus has a large return on investment.
- More businesses will want to know how the P2PE Validation Standard affects them.
The PCI Security Standards Council (PCI SSC) recommends P2PE as a best practice to protect PCI data as it travels through the authorization process. In June 2015, the PCI SSC published its second version of the P2PE Validation Standard. Any business using a P2PE solution that has been successfully validated against this standard may consider all of its payment systems ‘out-of-scope’ for PCI Data Security Standard (DSS) compliance. This can represent significant time and cost savings – sometimes as high as 90 percent – for payment-accepting businesses working to achieve/maintain PCI DSS compliance.
It is anticipated that the businesses most interested in having solutions validated against this standard are those that offer merchant services to retailers, such as payment processors/acquirers and gateways. These businesses need a simple way to demonstrate that their P2PE solution(s) adhere to the PCI P2PE standard, which makes it easier to sell their services to retailers.
Retailers can be confident that choosing a validated P2PE solution will remove sensitive PCI data from their payment acceptance environments, and help simplify the compliance process.
There is no doubt that payments technology brings new revenue opportunities for organizations, but it is important to keep in mind the potential impact of a data breach. Organizations must also worry about brand reputation and maintaining customer trust, which can both suffer from a cyber attack. Looking ahead, it is imperative that organizations make security a priority, focusing on P2PE and tokenization solutions that protect sensitive data.