By Ashish Thapar, a managing principal on the investigative response team at Verizon. It’s that time of year again. Summer is well and truly here, barbeques are roaring and shopping centres are humming with consumers seeking refuge from the heat. This period marks the beginning of a new year for retailers, and they are crossing their fingers that 2018 will be a bumper one. Whatever this period brings, one thing is certain: a significant portion of consumer spending will be done online. In 2
016, Australians spent $21.65 billion shopping online. This is a total increase spend of 10.4 per cent compared to 2015, and the trend is moving ever upward.
Shopping on mobile devices is also rising in popularity, up 52 per cent in Australia from 2015 to 2016, and purchases now often involve multiple devices. A consumer might research a purchase on their laptop, check availability on their smartphone, and pay using their smartwatch.
With the shift towards omnichannel retail experiences, it’s crucial that businesses keep customer data, including payment card data, secure across all devices and channels.
The evolution of card security
Credit, debit and prepaid cards have been around for decades and over the years many security measures ranging from holograms to sophisticated electronic features have been added. These measures have made it more difficult to use stolen cards and create counterfeit cards – but criminals haven’t just given up: instead, they’ve shifted their attention towards Card Not Present (CNP) attacks. These include transactions made via mail order/telephone order (MOTO) or online—the latter being a particular target, driven by the meteoric growth of e-commerce.
Card brands are experimenting with a number of new features to address this growing form of crime. These include cards with an electronic display, that generate a new code every 30 seconds. At this stage the only one to have made it to widespread use is 3D Secure – a form of two-factor authentication. When attempting an online transaction, the cardholder is presented with an additional form asking for a password – if they haven’t created one yet they must enter additional personal information, such as their date of birth, to create one.
As well as changing cards, issuers are looking at how to improve fraud detection. This has the benefit of being invisible to the user, so it won’t put them off making transactions. One promising method, possible thanks to our reliance on mobile devices, is using location data from the user’s smartphone to verify that they are where the transaction is happening. If they’re not, the transaction can be blocked or additional verification requested. Fraud detection approaches based on artificial intelligence are also being evaluated to take this to the next level.
But adding security measures is just part of the answer. Retailers must ensure the measures they have in place are robust enough to stop their customers’ data from being left vulnerable – as a data breach could ruin everyone’s summer.
Protecting data during and after the transaction
Retailers need to protect data during the transaction, after a payment is made and when it is stored. My top recommendations for retailers are:
Be vigilant for evidence of device tampering to protect against card-present breaches. You need to conduct regular checks of all devices which capture payment data. Train employees/cashiers to recognise signs of tampering and make sure devices are stored securely when not being used.
Encrypt data using the latest, most secure methods. Websites and apps need to be built using airtight coding techniques and the latest version of Transport Layer Security (TLS). For in-person payments, point-to-point encryption (P2PE) will protect data from the point-of-sale (POS) until it reaches a secure decryption environment.
Secure card holders’ data by segregating your network zones, ensuring systems, network devices and applications are secure and conducting robust monitoring with effective incident response controls.
Make sure you and any third parties processing your customers’ payment cards have robust identification and access policies. This includes changing all default passwords, using strong authentication and ensuring users don’t share accounts. You should not keep any more data than you absolutely need, keep it longer than you need to, or give anybody access to it unless they need it to do their job. This is all simple security hygiene, but it’s astounding how many companies get these basic things wrong.
Invest in your employees. They can be your greatest asset or your biggest weakness. Provide them with training so they can identify threats, raise the alarm when necessary and monitor and measure the effectiveness of security controls. This is crucial to building a sustainable control system that will stay effective as the company and the threat landscape inevitably change.
Verizon’s research revealed cyberattacks target businesses of all shapes and sizes, and just one data breach could have a long-lasting impact on your company’s reputation. If you want to reduce the chances of it happening to your organisation, PCI DSS compliance will help. It covers all the above security measures plus many more.
Being compliant with PCI DSS doesn’t guarantee protection, but it goes a long way. As outlined in the Verizon 2017 Payment Security Report: of all the payment card data breaches investigated, not one organisation was 100 per cent compliant when the breach occurred.
The safety of your customers’ data isn’t just about passing a one-off test. Your security controls will be tested every day and they need to be strong and resilient. Customers put their trust in you every time they make a purchase. Don’t let them down!