PCI compliance is a detailed and grueling process for a reason; fraudsters will exploit any weakness they can uncover. History has shown that even major merchants that consumers would assume are fully protected can get breached. In their Cost of Data Breach Report 2021, IBM reported that the average business cost of a cyberattack is USD $4.24 million and it takes more than 287 days to detect the breach. Merchants should ask themselves whether they are fully prepared. And, how much damage cybercriminals can do in 200+ days.
Protection of sensitive data should be like a medieval castle — built to be as defensive as possible. Every element is designed to make sure that the castle is as strong as it can be — the moat, drawbridge, curtain walls, turrets, towers and keep all had a function.
Like the castle, merchants should have a multilayered approach to fully protecting their payments infrastructure. Every element should be designed to make sure it protects against a different type of attack and when one area is breached, attackers should discover another layer of protection, leaving them with nowhere to go. Each layer is designed for protecting specific vulnerabilities. Some perform against more than one type of attack, but none can protect against all threats. I know what you’re thinking… the trojan horse! Well, the trick will be on them, because the sensitive information they are after is not there… or has been replaced by a token.
OK, enough with the medieval analogy. Let’s get back to the layers of modern payments security. The layers of protection I’m referring to are EMV, point-to-point encryption (P2PE), tokenization and fraud protection. These prevent cards from being copied, protect payments in flight, protect the storage of payment card data and block fraudulent payments.
EMV protects against individual cards being duplicated and used. But, with EMV you still need to authorize a payment, so you are transmitting payment card information that could be intercepted. That’s where P2PE comes in; it protects the transmitted data by encrypting it from where it is read inside the PIN-pad, to the point it is decrypted in the payments gateway.
Fraud protection uses its own multilayer scheme to prevent fraudulent transactions. With omni-commerce, we now have blended commerce where someone can buy online and pick-up in store (BOPIS); they can also cancel that transaction from their phone while in line to pick it up. Do you have a mobile application where purchases can be made? Well, those are card-not-present (CNP) transactions that run through a gateway for authorization and mobile fraud is the new playground for fraudsters. There’s no denying that omni-commerce needs multilayered fraud protection.
Tokenization is a special protection layer as it can protect, store and share. Tokenization can be used to protect many types of sensitive data just like encryption, but it can also be format preserving, so when stored in a database, parts of the information can still be accessed and utilized (such as the last 4 digits). It can also be shared across internal systems like loyalty, fulfillment and customer service to facilitate a real understanding of the customer journeys. The final benefit is that these systems can be out of PCI DSS scope, since a token is not sensitive cardholder data.
Want to learn more about protecting payments? Visit our omni-commerce solution page or check out this on-demand webinar with Mercator Advisory Group, where we discuss these topics from a fuel and convenience store perspective (though the same issues face all omni-commerce merchants).