Securing Payment Card Data: Three Actions to Take Now
In the retail world, there is often a misguided mindset of “fire and forget” when it comes to payment data security. The PCI (News - Alert) DSS and EMV boxes have been checked, so it’s time to sit back and relax in total security bliss – right?
While your PCI compliance assessments are an important step in your company’s overall security strategy, it’s wrong to assume that true payment security is something you achieve once and forever. No single validation, update or implementation can guarantee that – not even EMV. Rather, payment security is a constantly moving target that requires steady attention and action in order to keep your payment processing environment protected. Hackers and their malware are always evolving and adapting, and you must do the same if you want to avoid falling victim to one of them.
Don’t get me wrong, EMV is certainly a welcome addition to the payments landscape; however, it is not the end-all be-all security savior that it has been described to be. EMV should be treated as one piece of your much larger payment security puzzle. In fact, it is more of a card-authorization tool than an actual card-data security tool. Be wary of those who oversell EMV beyond what it is actually capable of.
Instead, consider three ways to reduce your risk and better secure consumers’ payment card data:
Use a layered approach to payment security.
Merchants should create an environment where security tools are layered for maximum coverage. Each tool serves a specific purpose in shrinking your card data environment – lessening the scope of your PCI DSS assessments and lowering the risk of experiencing a breach. When used together, they become a much more versatile and stronger security toolbox.
- EMV: People often misunderstand the purpose of EMV chip cards. EMV is a microchip placed on a debit or credit card that authenticates and validates the card during the transaction. Its primary purpose is to prevent the use of counterfeit cards, which is only one of the many payment data security concerns for merchants. This is why EMV is a very limited security measure on its own, and should always be combined with other solutions, such as P2PE and tokenization.
- Point-to-Point Encryption (P2PE): For P2PE to be effective, you need a solution that encrypts all cardholder data (CHD) at the point it first interacts with a payment device, preventing card data from ever entering your point of sale (POS) or property management system (PMS) in unencrypted form. This reduces the scope of your PCI DSS assessments and eliminates a major vulnerability.
- Tokenization: To simplify PCI compliance and assure that CHD is never stored in your payment systems, look for a tokenization solution that replaces sensitive card data with a random, unique, alphanumeric value. Make certain that these tokens are not mathematically derived and that they have no value if lost or stolen. With the one-two punch of P2PE and tokenization, merchants can free themselves from the burden of storing, processing, or transmitting sensitive CHD.
This layered security approach helps you move into a security framework where card data doesn’t reside in your payment processing environment. This makes it incredibly time-consuming and inconvenient (if not nearly impossible) for hackers to steal this provocative data.
Regularly check the tools and operations within your environment.
In order to ensure that your payment system is as secure as possible, you should always follow there guidelines:
- First and foremost, you should carefully select high-quality payment security solutions and install them properly within your environment.
- Once installed and running, these solutions should be evaluated frequently. You need to get into the habit of regularly monitoring the solutions and operations within own environment and update them as needed to ensure that they are secure and PCI compliant. One forgotten server, poorly secured entry point or weak password can be all hackers need to wiggle their way in and help themselves to a buffet of all-you-can-steal card data before you even know it happened.
- Be sure that the individual(s) you are relying on to maintain the integrity of your operating environment has the ability and clearance to make informed decisions rapidly when necessary.
Make sure all tools are being implemented and used according to PA-DSS implementation guides.
Refer to the PA-DSS (Payment Application Data Security Standard) implementation guides to ensure that you install new solutions or update existing ones correctly. You should treat these implementation guides as the “PCI gospel,” as they provide detailed information about how your business can implement a payment application securely and accurately, as well as your responsibilities for maintaining security in order to be PCI compliant with a particular security technology.
Here’s what the PCI DSS has to say about ensuring a compliant environment:
“Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor (per PA-DSS Requirement 13.1).”
Securely implementing payment applications is an important aspect of your PCI DSS compliance. And, although we recommend taking further steps to maintain an environment that provides security above and beyond compliance standards, being compliant is the minimum standard to meet prior to exceeding it.
Your goal is to put in place every roadblock possible to keep cyber criminals from running away with CHD. Unfortunately, the fortification that works perfectly today may develop a chink in its armor as time goes on if you are not performing regular checks on your environment. With today’s hackers being organized and funded by nation-states, false nation-states and even terrorist organizations, maintaining the security of your payment processing environment isn’t just harder – it’s more important than ever before.
Keep in mind that security is not a check-box item that you set and forget. It’s an ongoing process that requires diligent, detailed attention. Partnering with like-minded solution providers will help you keep up to date with compliance requirements, address the latest threats, seal off any new attack vectors, and keep your customer’s sensitive payment data safe. You have put a lot of time, money, and effort into establishing your brand; investing adequate time and resources into a robust security posture is how you safeguard those efforts and capitalize on them for many years to come.
As always, be smart and vigilant.
J.D. Oder II serves as Shift4’s CTO and SVP of Research and Development. J.D. is a Certified Network Engineer with more than 15 years of experience. He leads Shift4’s systems operations and development efforts as well as the security and compliance teams. J.D. is the architect of the DOLLARS ON (News - Alert) THE NET® payment gateway solution. He is credited with introducing tokenization to the industry in 2005 and was also an early adopter/member of the PCI Security Standards Council.
Edited by Stefania Viscusi