Christmas is fast approaching and the streets are already brimming with eager holiday shoppers, ready to buy gifts for loved ones and enjoy the festive spirit. But for those in cyber security, it can be a trying time with the stress around security threats: headline after headline, consumers are being warned about phishing scams, malicious websites, and implanted malware, and retailers are alerted to the inevitable cyber attack that will land on their doorstep, aimed at stealing a whole customer database of sensitive information.
There is indeed a string of truth to these claims, but the fact remains that all businesses and retailers that accept credit cards and electronic payments should not be more concerned by the festive period compared to any other time in the year. As retailers test their website capabilities in preparation for the traffic that they’ll experience from November onwards, the same should not be implemented for payment security. Instead, it should be a mandatory 365-days-a-year discipline.
There are already minimum standards relating to payment security, but organisations wrongly use it as an entire security framework for their business. Instead, security frameworks should be designed with each specific risk profile in mind, unique to that business – the data it stores, the incident response plan it has in place, and the most likely threat actors. By adhering to the Payment Card Industry Data Security Standard (PCI DS), companies may be able to achieve a minimum level of security but they will be poorly prepared in today’s connected world where thousands of monetary transactions take place.
A history of online payment security
If you’re an organisation looking to implement vigilant payment security, here are four steps that you need to take:
Determine the businesses’ risk profile: It’s important to determine the most likely threat actors towards your business. A website selling bespoke hand-decorated mugs, for example, will have an exponentially different risk profile to a giant retail chain with millions of customers and online, mobile and store channels. The kinds of questions you can ask to move beyond the archaic guidelines of PCI DSS include: over what channels is your business accepting payment? Where is your data stored? What kind of data is being stored? Who is able to access the data? And crucially, who is most likely to want to steal the data and how they are going to do it? By answering these questions, companies are able to implement a payment security strategy that is unique to their specific operations.
Assess all Points of Sale: Typically, retail stores tend to focus on their in-store and credit card transactions. But it doesn’t stop there – today’s security requirements require securing data across the entire payment lifecycle, from the store and online to intermediaries and banks. We also pay with a much wider variety of tools too, from credit card readers, contactless readers, payment channels and digital channels, so there are plenty more endpoints to protect. Understanding your complete array of payment channels, and the entire payment lifecycle is key to establishing a secure payment system.
‘Security and fraud risks drive merchant payment decisions’
Optimise Cyber Operations: A company’s cyber operations are critical in an incident response plan and preventing the possibility of breaches. These capabilities are even more crucial in retail as payments move between consumers, point-of-sale systems, credit card providers and issuing banks. When you have the right staff, operations and technology working in tandem, they can form a successful foundation for an effective payment security strategy.
The threat from within: For viable payment security, it’s not enough to simply protect against threats from outside the business only. Businesses must ensure strict security on the inside too to prevent accidental insider threats but also deliberate malicious ones. Almost half of all data breaches can be attributed to insiders, so it is paramount to ensure strong identity and access management, application security, training and awareness programmes. Only this way can companies be protected from the inside out when their employees are clued up too.
Following these steps, companies in the payments handling space, particularly retailers and merchants, can significantly improve their payment security operations. It’s important to note however that these are not one time quick fixes, disbanded from each other. Each step is ongoing but also interrelated, which is why they can’t only be implemented during the busy shopping periods. Throughout the year, regardless of the size, type of business, or time in the year, companies need to not only understand their risk profile but continuously determine new threats on the scene, focus on points of sale, streamline operations and ensure they are developing their internal security.
The holidays are coming, but if organisations prioritise the correct cyber security practices and strategies all year round, everyone can join in the festive fun knowing the utmost has been done to protect against cyber threats.
Written by Nigel Gilhepsy, Director of Services, Europe, Optiv
The seven types of e-commerce fraud explained