Payment Security in 2015 and beyond (Part 1)
From the first credit card-reading terminals in the 1970s to the completely mobile digital wallets today, payment processing technology has come a long way. In 2015, it has become easier than ever to not only accept credit card payments, but integrate payment processing to ERP systems, online stores, and mobile devices that send and receive payment data on-the-fly. With these innovations, the growing number of businesses in the world, and the heightened sensitivity to information brought on by the internet, comes a marked increase in the number of reported payment data breaches—and corresponding security solutions.
Physical solutions like EMV chips and their readers, and digital solutions like tokenization have led the way in modern payment security, although not yet requirements by PCI DSS.
Today’s Payments, Processing, and Security Climate
Worldwide usage of non-cash payments has grown steadily at a rate of about 7% percent between 2007 and 2012 ; the number of payment options available to consumers has grown in past decades in response to the needs of consumers and the overall climate of data security (or lack thereof) across the world, and, at the same time, the per capita cost of data breaches is rising in many countries.
Modern payment options include magnetic stripe-reading terminals and more advanced EMV chip-reading terminals, online payment portals, and mobile payment apps. In turn, credit card processing options have advanced to include online virtual gateways and ERP system integrations, designed to streamline payment procedures and, as of late, to increase overall payment security.
With most of the data breach attention given to larger companies like Home Depot, Target, and Sony, one must not forget that most of the companies targeted in breaches are small businesses—70% of them, in fact. Furthermore, when a small business’ data is breached, it has a 60% chance of closing its doors in the six months following the attack.
Advances in payment security, though significant, have not completely deterred hackers and other fraudsters. Although the number of reported data breaches worldwide has dropped two years in a row, it’s probably too soon to base future activity on that trend, especially given the developing nature of security enhancements and the ever-growing number of mobile payments users.
Typical Purchasing Behavior and Payment Options
Although in-store purchases still constitute the vast majority of retail transactions—90% in 2013—the number of eCommerce purchases has grown slowly but consistently, projected to rise from 6.4 to 8.9% of all retail purchases by 2018. eCommerce and MOTO transactions dominate the B2B realm simply because of the nature of those businesses; it only makes sense in a few special cases for businesspeople to present physical credit cards to other merchants to make purchases for their own businesses. Thus, while the card-present environment rules the purchasing world by a great margin, today’s more tech-savvy consumers and most business owners are more wont to use a modern, online payment option, which will make those particular methods ever more important in years to come.
Stages of Risk & the Vulnerabilities
Data processing occurs in three different steps during the life cycle of a credit card transaction:
• In use– When a customer first swipes a credit card through a machine or a salesperson enters a customer’s credit card information into a credit card terminal or computer program, before the information is processed.
• In transit – When the data travels from the merchant’s office or payment gateway to the credit card processor, the merchant acquirer, and the card-issuing bank.
• At rest – After the transaction settles, when the information is stored in a server, ready for re-use.
As we will see, hackers and fraudsters can exploit natural vulnerabilities of older payment formats at any of these three stages.
Many of today’s payment modules suffer from outdated technology. At the time of their development, their security features were best in class; currently, however, this is simply not the case. There are security flaws with nearly every payment option:
Magstripe-reading credit card terminals expose data in use and in transit.
Fraudsters can attach malware and physical card-reading devices of all shapes and sizes to card-reading terminals, allowing them to acquire readable credit card numbers before the information ever leaves the terminals to be processed—and while the data is in transit. Data acquired this way is not protected at all aside from residing behind a magnet.
Virtual gateways & ERP integrations expose data at rest.
While an improvement from the security level of magstripe-reading terminals, some virtual gateways can be directly hacked and the data from credit cards procured—if the data is stored on a business’s own server and not tokenized. This security flaw applies to payment integration to ERP systems as well, since a virtual gateway comprises the engine, as it were, behind the integration.
Solutions Designed to Combat Modern Vulnerabilities
Data breaches in 2013 alone have put the shortcomings of older payment security methods—and online security systems in general—squarely into the spotlight, as more than 822 million customer records were compromised over a total of 2,164 separate breaches worldwide, over double the number of breaches for 2011, the next-highest year . These potential solutions solve or significantly abate the security problems merchants expose themselves to by using outdated payment technology:
EMV chip-reading credit card terminals protect data in use.
This replacement for the older magstripe-reading terminals is more effective than its predecessor because rather than simply reading a magnetic stripe, which only provides static (unchanging) information about a credit card, it reads and communicates with a card’s EMV chip, creating a dialog that includes information about the transaction. This dynamic aspect combined with the requirement of either a PIN or signature with use of these cards make the EMV chip and reader combination much more secure than the standard magstripe reader.
With these points in mind, it is still important to note that while EMV chips assign dynamic values to transactions, the information coming to and from the chips is not encrypted. Encryption is possible in other ways, however, and can be used as a security measure in tandem with EMV readers.
Encryption protects data in transit.
Encryption does not prevent customer credit card data from being intercepted, but instead uses a special algorithm (or algorithms) to scramble the data, making it unreadable to any would-be hackers who successfully intercept it. When encryption is used, the credit card processor deploying it holds the decryption key and can process transactions handled in this way as they would any other. Data protected by encryption is not completely immune to compromises, but, like the act of intercepting data, decrypting data without possessing a key requires considerable skill and time.
Tokenization protects data at rest.
Tokenized gateways, while identical in form to their non-tokenized predecessors, utilize tokenization technology, which substitutes real credit card numbers for substitutes—tokens. The tokens serve as viable substitutes for the actual credit card numbers in the event of their re-use (in automatic billing, for example), and, in the unlikely event a credit card processor’s virtual vault were hacked, the perpetrators would not be able to use the tokens since they would not appear as actual credit card numbers.
In addition to standing alone, a tokenized gateway can be designed to integrate directly with another product—such as an accounting system—providing the same back-end security as if it were a standalone product. Apple has taken the concept a step further, applying it to their completely mobile payment solution, Apple Pay. Apple Pay allows customers to link their credit cards to their Apple mobile devices so they can purchase items without touching an actual credit card. Apple Pay tokenizes credit card data, making the solution at once very modern and quite safe.
About Century Business Solutions
Founded by a management team of payment industry professionals, Century Business Solutions is committed to providing cutting-edge payment processing technologies to save their customers time and money. Century Business Solutions is a Gold Certified Microsoft Dynamics NAV, delivering integrated payment processing solutions to Dynamics NAV & Dynamics GP users.
The post Payment Security in 2015 and beyond appeared first on goERPcloud.