Three ways to protect your payments data

Payments security in the retail industry is forever front of mind for IT and finance operatives.

As retailers adopt new payments technology to collect and communicate sensitive customer data, the risk for hackers to take advantage increases, with cybercriminals growing increasingly savvy.

“In 2018, the retail sector was the target of 17% of all cyber-attacks, making it the single biggest industry for cybercrime”

Trustwave’s 2018 Global Security Report found that the retail sector was the target of 17% of all cyber-attacks – the single biggest industry for cybercrime.

To combat this, retailers are spending more on cyber-security safeguards. According to the British Retail Consortium’s 2019 Retail Crime Survey, large organisations invested £162m in cyber-defences in the 2017-2018 financial year – an increase of 17% on 2016-2017.

This is necessary to protect sensitive payments information in today’s data-rich retail space.

Here are three technologies retail businesses can use to protect their payments data:

1. Point-to-point encryption

Encryption, or translating data into an indecipherable code as it’s transferred, is a popular solution for data that’s transferred electronically.

This protects card information as it is passed from the point of sale through the entire transaction. The card data isn’t visible to the retailer or anyone else throughout the process.

Once the encrypted codes are within the secure data zone of the payment processor, the codes are decrypted to the original card numbers and then passed to the issuing bank for authorisation.

2. Tokenisation

This protects sensitive data by replacing it with an algorithmically generated number. For payment cards, this means a token replaces the card number.

Even if your processing system is infiltrated, the data will be useless to the holder if they can’t decipher the token. The actual card number is only available within the network during the initial transaction.

After that, the retailer uses a token that represents the original card for recurring payments or to track transaction history by each customer.

3. APIs

Application programming interfaces (APIs) are predicted to be the dominant technology behind payments for the foreseeable future as a by-product of the Open Banking agenda.

This opens up a new world of affordable financial products that retailers have access to, all built on the most modern security measures as required by the second Payment Services Directive (PSD2).

Three-Domain (3D) Secure is an example of an API that authenticates ecommerce transactions to catch attempted card fraud before it happens.

A 3D Secure page requires a two-factor authentication (2FA) to use the payment method of choice.

“After September 2019, strong customer authentication will become the new default and cannot be bypassed without an applicable exemption”

If 3D Secure is enabled, the cardholder will always be redirected to their bank’s 3D Secure page to enter strong authentication information. If the cardholder’s bank deems the transaction high risk, the cardholder will be required to 2FA.

After September 2019, strong customer authentication will become the new default and cannot be bypassed without an applicable exemption.

Most authentication requests will be frictionless to the customer. Only 5% to 10% of authentications are expected to require the cardholder to enter 2FA.

Learn more about this change here.

Security measures that cost you nothing:

• Use additional points of verification. Fraudsters have limited knowledge, and by verifying more details retailers will make fraud harder. This needs to be implemented in a sensitive way, using data that can be invisibly captured, such as a phone’s IMEI number (if a retailer has permission to read this data). However, asking users to enter additional details can be frustrating and cause them to abandon a purchase journey if they feel questions are too intrusive or irrelevant.
• Ask your bank how to shift liability. Contact your bank directly to determine the different steps you must take to achieve a liability shift in the event of a chargeback.