It’s no surprise that debit and credit cards are the preferred payment methods — in-store and online — for millions of consumers. And the increased use of these payment methods has spurred an uptick in data breaches, cyber theft, and payment security awareness.
A report sponsored by JP Morgan noted that the increased use of digital transactions has increased cybercrime. In fact, almost 75% of organizations were targets of payment fraud attacks in 2020.
As a result of the increase in payments fraud, a study by Meticulous Research reports that the payment security market is expected to reach $54.1 billion by 2028.
Companies in industries such as eCommerce, travel and hospitality, food and beverage, and sports and entertainment, have always been targets of cybercriminals because their payment systems contain a wealth of customers’ personal and financial data.
What security solutions is your business implementing to protect your customers’ data and your brand? Read on to find out what steps you should take.
PCI Compliance
To fully understand payment security, you first need to understand the origin. The Payment Card Industry Security Standards Council (PCI SSC) — or PCI for short — was established in 2006 by American Express, Discover, JCB International, Mastercard, and Visa. The council is a global forum that unites payment industry stakeholders to develop and drive the adoption of data security standards worldwide.
Any business that processes or stores cardholder data must comply with PCI DSS (Data Security Standard) requirements. Depending on how your organization handles payments — card-present for in-person transactions and card-not-present for recurring or online payments — you can validate your compliance with a self-assessment questionnaire (SAQ) or qualified security assessor.
If this sounds complicated or intimidating to you, you’re not wrong. It’s a lot to digest at once, and it’s tricky navigating unfamiliar waters. Thankfully, payment processors and experts, like us at Shift4, can take on the responsibility of keeping your payment systems PCI compliant. We’ve even created a Security Corner to help businesses navigate the overwhelming world of PCI compliance.
What Is Payment Security?
Now that you understand how payment security is governed let’s talk about what it means for your business.
In a nutshell, payment security is the measures companies take to protect their customers’ personal data and prevent fraudulent transactions. They are dynamic, multifaceted strategies happening in real-time to protect sensitive data. Here’s a look at these different layers.
Card-Present Security
EMV
Your first line of defense is an EMV payment terminal for card-present transactions. EMV is short for Europay, Mastercard, and Visa — named after the founders who created this payment technology standard. Often referred to as a chip card or smart card, EMV cards have a small microprocessor or chip that stores data and makes it nearly impossible for potential thieves to replicate with counterfeit cards.
Point-to-Point Encryption
Another safeguard for credit card transactions is Point-to-Point Encryption or P2PE for short. P2PE encrypts the cardholder’s data at the point of capture and throughout the entire transaction journey until it reaches the secure decryption endpoint. With P2PE, card data never enters the merchant’s system. Shift4 takes it a step further with PCI-validated P2PE, which requires a higher level of security and dramatically reduces your organization’s PCI DSS scope.
Tokenization
As the inventor of payment tokenization, we know that tokenization is one of the most important steps you can take to protect your customers when it comes to sensitive payment data.
Tokenization replaces the cardholder’s Personal Account Number (PAN) with a random, alphanumeric value known as a “token.” The token value has absolutely no connection to the PAN it represents. Therefore, it cannot be reverse-engineered. Only a payment gateway or token vault can identify the 1:1 relationship between the PAN and the token.
As part of Shift4’s end-to-end payment solution, these three technologies work together to seamlessly deliver the strongest security possible throughout the entire transaction — and long after.
Card-Not-Present Security
Card Verification Value (CVV)
If you’ve ever made a purchase online or added value to a mobile device app like Dunkin’ or Starbucks, you’re already familiar with your payment card’s CVV. The Card Verification Value — or CVV for short — is the three- or four-digit code on the front or back of your credit or debit card.
A CVV code is typically requested for card-not-present transactions as an additional security measure to ensure that the card is in the hands of the rightful owner.
Address Verification Service (AVS)
Another safeguard for eCommerce transactions is address verification. For example, when you place an order online, you are asked to enter a shipping address and your billing address.
The billing address request confirms that the information you’re supplying matches the information on file with the card issuer. If it’s a complete mismatch or partial mismatch, the transaction can be declined.
Secure Socket Layer (SSL)
Lastly, we have SSL certificates, a security protocol for online transactions that encrypts information sent over the internet. Have you ever noticed a small lock icon in the address bar of your web browser? Or have you seen a web address that starts with HTTPS? If so, you can rest assured that the website is using SSL and the information you share is protected.
Why Payment Security Is Important for Your Business
Implementing the appropriate payment security can make or break any business. A company could spend years establishing itself as a trustworthy brand, then lose it all in an instant because of a payment system breach.
Once your company’s security has been breached, not only do you lose your data, but you also lose the trust of your customers — trust that likely took years to gain. The last thing your customers want is to spend hours dealing with fraudulent charges — or worse: identity theft —because they used their cards in your store or on your website.
Customers who entrust businesses with their money and personal information also trust that those companies will provide them with secure and seamless buying experiences. Furthermore, you may also run the risk of damaging your relationships with your business partners and service providers.
In addition to tarnishing your reputation, payment fraud can cost your business financially. Depending on the size of a company and the circumstances surrounding the breach, fines can be as high as $500,000 per incident — or sometimes more. The banks may also increase transaction fees or terminate relationships altogether.
Do you remember the Target data breach in 2013? After a 47-state settlement, Target agreed to pay $18.5 million in settlement claims. In fact, when all was said and done, Target said they had lost a total of more than $200 million due to the breach. While this may not cripple a large retailer into bankruptcy, it’s undoubtedly a massive blow to their bottom line. “Threats to payment card data continue to increase and impact the payment security landscape in numerous — and increasingly insidious — ways,” according to Verizon’s 2020 Payment Security Report. “The negative disruption from payment security data breaches can have a temporary or lasting impact on an organization’s sales and company stock price and reputation.”
How to Protect Your Business
When it comes to protecting your business and cardholder data, it’s best to take a layered approach to payment security by implementing the multiple strategies mentioned above. This type of approach is precisely what we do at Shift4 with our industry-leading secure technologies.
Our layered approach to credit card security and best-in-class payment solutions protect customer data from end to end, providing both merchants and customers with unmatched security — and peace of mind.
Adapting to an Evolving Landscape
As the landscape evolves and hackers become more sophisticated, merchants must remain vigilant in the fight against fraud and data breaches. Protecting sensitive customer data should remain a priority — and choosing the best in-store and online payment security solutions can certainly support this objective.