Recent high-profile consumer and payment information breaches have set consumers on edge and delivered significant blows to several companies’ reputations. If data breach stats from 2017 are any indication, merchants are still the biggest target at which hackers are aiming.
However, we still are allowing unsecure point-of-sale (POS) installations into the webstore, mobile and instore market and not requiring best practices from all stakeholders. It’s time we start holding everyone responsible.
The technology behind how payments are being delivered is advancing quickly. Unfortunately, standards and systems aren’t evolving fast enough to keep up. The payment processor part of the chain is highly regulated, of course, with PCI and PCI DSS standards and best practices. But to get to that point of any transaction, you first need a front-end interface at the point-of-sale. Everyone that touches this point in the payment chain needs to be accountable, too.
Here are some easy-to-implement best practices that go beyond merely staying PCI compliant:
Merchants need to upgrade to the newest versions of their POS software every time they are offered. Legacy software makes everyone vulnerable. Regular software upgrades should be standard best practice. Secondly, merchants need to get picky and only work with vendors that meet highest criteria of security. Finally, merchants need to get personally identifiable information (PII) and cardholder data out of their everyday environments by never touching or storing data.
Software providers need to step up the security. While many good software providers are working hard to lock down their systems and fully encrypt PII and card data, there are still many that leave back-doors open and the merchants holding the bag when a breach occurs. To shore up the software’s security, providers and their partners need to combine four things on every system, every time by using end-to-end encryption (E2EE) at the POS ensures that cardholder data is fully-protected from the moment it enters the payment stream.
Also, when an EMV chip card is used at a card-present POS terminal, the microchip generates a dynamic code that authenticates the card preventing it from being copied.
And tokenization should be used for stored data. This replaces card account information with “tokens” generated by a third-party service provider and does not require merchants to store any card data. There is no way for hackers to use them as there is no card number associated with that piece of data.
Network tokenization literally removes the card data from inception of an online or mobile commerce transaction.
Payment providers need to secure their own infrastructure and only allow providers that have reached highest levels of security, implementing all the security measures listed above, into their environment.
There is no room to settle for anything less as we move forward. While the industry is making strides toward tighter payment security, we all need to more proactively together make breaches a thing of the past.