Executive Insight: 3 Ways to Strengthen Payment Security in a Dog-Eat-Dog World
April 18, 2016 No CommentsBy J.D. Oder II, CTO and SVP of Research and Development, Shift4 Corporation
In a recent and highly publicized quarrel, Apple fought against the U.S. government’s request to create a workaround that would allow the FBI to break into an iPhone, essentially hacking into their own device. Without taking a deep dive into the implications of the situation, the FBI’s ability to work with a third party to crack that iPhone’s encryption gave many of us in the tech industry pause. At the same time, it proved a point that all of us who live, eat, and breathe security already know: no single security solution is infallible.
It may seem chilling, but the concept of 100% complete security is a falsehood. If anyone dares to say otherwise, I see it as an open invitation to be painfully proven wrong.
Yet, so often a merchant will complete their PCI DSS (Payment Card Industry Data Security Standard) assessment, install a new antivirus program, or begin to accept EMV cards and think that with this new validation, implementation, or process, security has been achieved. This all-too-common tendency to “fire and forget” when it comes to implementing payment security tools ends up leaving those merchants vulnerable and their customers’ card data open to attack. This issue is only compounded when merchants implement third-party security technologies that have installation and configuration requirements that may be unfamiliar to them.
Here are a few ways that merchants can better assure the security of their customers’ payment data, even against today’s advanced threats:
1. Regularly examine the tools and operations throughout their environment.
A merchant can install the latest firewall solution on their network, but it won’t help much if there’s already a virus running on their operating system. PCI DSS audits come annually, but a merchant’s systems are supposed to be secure and PCI compliant all of the time. That’s why it’s essential for merchants to vet the tools and operations within their environment prior to implementing new solutions and check in on them regularly to ensure that security is maintained.
Merchants should periodically verify that they’re using properly segmented networks and that their staff is regularly updating and patching their software solutions. Importantly, the individual(s) that the merchant relies on to protect their operating environment must have the ability and clearance to make informed decisions on behalf of their business.
If a merchant needs help identifying whether their environment is secure and PCI compliant, they can work with their merchant services provider (MSP) or consult a PCI Qualified Security Assessor (QSA) for assistance. Hiring an expert can be expensive, but it’s much more cost effective than dealing with the financial drain of a data breach, which can cost hundreds of thousands of dollars or more—not to mention the irrecoverable costs in brand damage.
2. Carefully implement all payment applications according to PCI guidelines.
When merchants install new solutions or update existing ones, it’s vital that the prerequisites are understood and applied according to the PCI’s Payment Application Data Security Standard (PA-DSS) implementation guides. These implementation guides underscore that simply using a PCI-certified solution doesn’t mean that you’re a PCI-compliant business. To help, they outline what you should do to make sure payment applications are securely and accurately installed.
At Shift4, we recommend implementing a combination of payment security technologies to entirely remove cardholder data (CHD) from the merchant’s environment. This allows merchants to achieve PCI compliance while forgoing the burden of 24/7 payment data security, freeing up more time and energy to focus on their core business—serving their customers.
3. Layer payment security tools to minimize risk.
As I’ve said often before, there is no silver bullet for data security. It’s important to add the correct mix of solutions to ensure your payment security cocktail puts you at ease instead of giving you heartburn. Three particular technologies, when used together and applied along with the security practices mentioned above, are a dang good start:
– EMV – The purpose of EMV chip cards is often misunderstood. EMV is not a true security tool, but rather a card-based authentication method that individually validates a consumer’s credit or debit card to help protect merchants from having to shoulder the liability for certain types of payment card fraud.
– P2PE – At card-present points of sale, including mobile devices, P2PE assures that CHD never enters the merchant’s environment by encrypting CHD at the point it first interacts with a payment device and securing it until it’s processed. This helps to eliminate significant amounts of vulnerability and leaves nothing but secure payment devices in scope for PCI DSS assessments. The solution offers the most security when the encryption keys are hosted offsite, far away from the data.
– Tokenization – Tokenization replaces sensitive CHD with a random, alphanumeric value to assure that CHD is never stored in a merchant’s network or payment systems. Tokenization allows the daily business operations that once required payment card data to remain intact while simplifying PCI compliance and significantly reducing the risk of being breached.
The data thieves are out there—and they’re getting better. They’re organizing and gaining support from some of the world’s most nefarious hacking groups, non-allied nation states, and false nation states—even terrorist groups. Their acumen at deceit and trickery needs to be combated through the use of a strong force that can only be achieved when using a variety of tools and practices that make it so difficult for hackers to identify weakness in a merchant’s system that they move on to easier prey.
As MLB executive Joe Torre puts it, “The second you think you’ve arrived, someone passes you.” Don’t get complacent with your security posture. Continue to monitor and innovate, because the bad guys are innovating, and we have to stay one step ahead.
About JD Oder
J.D. Oder II serves as Shift4’s CTO and SVP of Research and Development. J.D. is a Certified Network Engineer with more than 15 years of experience. He leads Shift4’s systems operations and development efforts as well as the security and compliance teams. J.D. is the architect of the DOLLARS ON THE NET® payment gateway solution. He is credited with introducing tokenization to the industry in 2005 and was also an early adopter/member of the PCI Security Standards Council.