As the levels of cyber-crime continue to increase, the threat of payment details falling into the wrong hands is steadily growing too.
Although the PCI DSS exists to ensure businesses are protecting sensitive data falling into the wrong hands, many businesses are still failing to protect their customer payment information, according to Verizon's 2017 Payment Security Report.
Securing payments is something that every modern business must come to grips with, whether they be large or small, and there are some very specific hurdles which must be overcome if they are to be successful.
Here the top five challenges businesses are experiencing when securing their payments and how they can overcome the challenges to be fully compliant with PCI DSS and GDPR, when the latter comes into force next year.
1. Protecting data in-transit
Encryption is a word that has spent a disproportionate amount of time in the press of late, and for good reason.
Businesses that have failed to properly implement and deploy a good encryption strategy before a breach have found themselves dragged through the media for failing to protect their customers' data, and hit with major fines for their (lack of) effort.
With the arrival of the GDPR things will only become more tumultuous for companies not well versed in the arts of securing data – with offenders potentially staring down the barrel of insolvency.
Indeed, a good step towards ensuring your compliance with the EU's impending new rules is to pursue PCI DSS compliance, which provides a sound foundation upon which to move forward.
2. Failing to test and audit systems
Measuring and limiting risk requires diligence and foresight. A company must have a detailed risk management process and action plans in place to ensure that they're ready to deal with any of the complex issues that may befall them.
At the very core of this preparation lies the auditing and testing of infrastructure and systems. They are critical. Failure to conduct proper audits will detrimentally affect a business in a number of ways, including the aforementioned lack of preparedness, hefty fines and loss of revenue, to name but a few.
3. Managing chargebacks
Chargebacks are a fact of life for any business, but there are ways to ensure that they don't become a thorn in the side of yours.
It has been suggested that opaque payment descriptors are the cause of most chargebacks and this relatively simple issue is easy to avoid by ensuring that your company's descriptor is clear, so that your customers know immediately who is flagging up on their statement.
If you do have to deal with a chargeback, then they're best dealt with fast. An advantage can be obtained by using a notification service from your chosen card processor, enabling you to begin dealing with (and potentially fighting) the chargeback as soon as it occurs, which will – hopefully – allow you to avoid charges and loss of revenue.
Watching for suspicious card activity is also recommended, such as multiple purchase attempts from the same person, address changes or the inputting of incorrect security codes.
4. Authenticating transactions
While we're on the subject of chargebacks and fraud, it seems appropriate to touch upon the issue of card authentication because ensuring that your customer is who they say they are is paramount if you're to avoid chargebacks, fees and potentially time consuming fraud investigations.
Contactless and mobile systems have biometrics to call upon which, while not infallible, add a much needed layer of security to transactions. Perhaps the best asset in securing remote transactions is through analysis of data by back-end systems. If your customer, who lives in York, tries to buy something from Apia then you may have a problem to deal with and any such transaction should be flagged.
Thankfully, again, choosing the right card processing partner should prove beneficial in dealing with authentication issues, but seeking outside help shouldn't be written off, either, if it's an area in which you feel improvement is necessary.
5. Physical security of data
An often overlooked aspect of securing payments is that of physical security. It feels so low tech to speak about locked server rooms, workstation security and even ensuring appropriate levels of security are maintained on your printers, but it's a fact of life that must be accepted.
Thieves can easily grab laptops, printers or hard disks, and immediately control the data enclosed within, but with the help of physical locks, disk locks, CCTV and a dose of good, old fashioned common sense you can avoid compromising data security – and the eye-watering fines that accompany it.
Contributed by Tony Smith, sales director EMEA, PCI Pal
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.