Payment Security, PCI Compliance: Where's The Risk Now?

Payment security is an ongoing challenge for retailers of all sizes. But, as every retailer knows, gaining and maintaining payment security is no easy task. Payment security standards will evolve as new threats and technologies emerge. Your most effective payment security strategy is one that prepares you for the future while protecting your data and your customer's data today. I recently spoke to industry experts on the current and future status of payment security and whether or not tier-one retailers should feel secure from a PCI (payment card industry) compliance standpoint.

Debit Trumps Credit In A Down Economy
According to a recent Federal Reserve Payment Study, electronic payments now exceed 2/3 of all noncash payments in the United States. Further, debit card payments now exceed credit card payments. Some of the increase in the use of electronic payments is due to changes in the financial behavior of consumers and businesses, particularly with regard to payment choice. For example, electronic payments are being used more frequently in transactions where checks or cash may have been used. In addition, industry experts agree the current economic climate is responsible for the consumer's use of electronic payments, particularly debit over credit. "People are embracing financial responsibility, and credit is hard to get," says TK Cheung, VP for global quality and security at Hypercom, a provider of electronic payment solutions and value-added services at the point of transaction. "As far as card payments in general are concerned, the convenience factor for the consumer continues," says Stuart Taylor, VP of global solutions and marketing at Hypercom. "Consumers have been conditioned to understand that we don't need to carry a lot of cash, as electronic payments are a convenience. Debit over credit is a result of the current economic climate. Although some card brands have been pushing debit over the last five years, people are starting to spend what they have as opposed to continuing one or multiple credit lines."

Indeed, today's consumer is credit-strapped because of the economy. "The shift from credit to debit started a few years ago as consumers started to wise up about interest rates," says Christopher Justice, president, Ingenico, North America, a secure electronic payments provider. "Consumers realize they do not want to pay interest on a $7 purchase from McDonald's. But as of late, consumers are being laid off, and credit rates are dropping. As a result, consumers' options are limited in terms of their ability to pay for the things they need." Therefore, people are spending what they have in their checking accounts, which is why debit is becoming the most popular form of payment in the United States.

Maintain Compliance, Avoid Payment Security Risks
Be it credit or debit use among consumers, payment security should be of the utmost concern for retailers. The Payment Card Industry Data Security Standard (PCI DSS), first introduced in 2004, provides strict guidelines for improving payment security for you and your customers. Keeping your business flexible and responsive to emerging payment security threats is crucial. As many tier-one retailers strive to gain PCI compliance, it is important for all retailers to realize that risks remain and will continue to arise. "Compliance is measured at a date and time," says Jeff Wakefield, VP of marketing at VeriFone, a secure payments solutions provider for debit, credit, EMV (EuroPay, MasterCard, and Visa), and contactless. "Retailers of any size find it challenging to put a lock on PCI compliance. The bigger risk is maintaining 24/7 compliance across every store and every device, network, and employee over every system you have. Criminals are going after every system."

If you cannot maintain compliance across more than 200 requirements for all devices and all employees, you run a tremendous risk of being breached. Malik Velani, global product manager at Postilion, a payments software solutions provider, concurs. "PCI certification does not mean achieving certification at a given point, but ensuring that the environment always 'maintains' compliancy," Velani says. "The idea is to guarantee that the environment is always compliant via frequent audits of the environment and using PA-DSS [payment application data security standard] validated applications. The risk is always at the weakest link [i.e. any entity that processes sensitive data and is not PCI-compliant or does not have a strong plan around data security]."

The Importance Of End-To-End Encryption
Payment security risks will continue to play a role in retail, as hackers and organized retail crime groups will continue to hack sensitive data. The risk moves around the globe. So the questions are, where is the risk now, and where is it going? "Where we're going to see the most risk is where the card is not present, such as online transactions where you don't have to present the card," says Cheung. "Obviously card associations are therefore implementing additional security on those fronts to try to authenticate the card, which is the key." Though risk is involved with card-not-present transactions, card-present transactions (e.g. debit card use at the POS) also present risks. "There's a dialogue starting on end-to-end encryption [i.e. sensitive data that travels over a network and is securely encrypted from the point of data entry to the point where the data is processed]," says Taylor. "Should you be encrypting the card data at the point it's swiped at the POS? And if you do that, at which point is it unencrypted? Questions such as these, which would enhance security even further, are still being debated."

Data security is not, and should not be, something that is restricted to large retailers, but something that should be considered by retailers of any size. "In order to protect retailers, we must encrypt the data from the payment terminal — encrypt the same technology and the same security in a payment terminal with which we encrypt debit PINs," says Wakefield. That data needs to travel through the retailer's network — encrypted the entire way and unencrypted only when it reaches a processor. "Any payment containing sensitive data [e.g. card number] is at risk if it is not secured properly," says Velani. "Deploying PA-DSS-validated solutions and attaining PCI compliancy is the first step, but risks can only be mitigated when all sensitive data that could be compromised is secured."

Keep your business aware of emerging payment security threats. Develop a security-conscious store culture based on best practices for long-term compliance. By doing so, you are taking a crucial step toward ensuring your customers' valuable credit card information stays private and secure, both now and in the future.