Criminals are mounting an all-out assault on merchants’ payments
systems, many of which sorely lack adequate data security. Pritesh
Patel of risk solutions specialist CyberSource discussed with
EPI strategies and solutions that will enable
merchants to significantly enhance customer data security.
With little more than a month left in
both the peak trading period and 2009, many merchants are now in a
code freeze, a period during which no changes can be made to their
payments processing systems.
However, despite this and pressured by the
seasonal rise in business activity, retailers must sometimes
implement quick-fix solutions to address payment or fraud
management challenges that arise, Pritesh Patel, a client and
technical services consultant with electronic payments processing
and risk solutions specialist CyberSource told EPI.
Although these ‘patches’ may be effective in
the short term, steps should be taken to develop a solution that is
both long-term, and fit for purpose, Patel continued. Specifically,
merchants should be looking at current and future threats to their
businesses and determining how they will be addressed in the year
“A variety of threats abound, but a payment
data security breach is the nightmare scenario for many eCommerce
merchants,” stressed Patel.
He noted that the traditional method
of protecting sensitive online information is to encrypt it, but as
some retailers have found, to their cost, encryption is not enough
to keep payment details safe from intruders.
On what has become a security solution being
widely hailed as a major advance, end-to-end encryption, Patel said
that while solutions such as these undoubtedly have their merits,
they are focused on minimising risk rather than eliminating it.
“Encryption requires constant ongoing
management and can often be a costly overhead,” explained Patel,
who also noted that as systems are enhanced or new systems
introduced, care must be taken to ensure that they fit into and
comply with the organisation’s encryption paradigm.
Perhaps most importantly, he continued,
individuals within the organisation know where the payment data is
and potentially how it can be accessed.
“Ultimately, by going down the encryption
route, the organisation’s leaders are pitting their IT security
teams against the criminal world,” said Patel. “They are betting on
those teams being able to keep payment data safe from attack and
preserving the reputation and future of the company.”
Ultimately, the most effective way
of preventing data theft is to eliminate the data from the payment
processing system, believes Patel.
“If a shop is empty of physical goods, there
is nothing for anyone to steal,” he said. “In the same way, if no
payment data exists on an organisation’s systems, the risk of a
breach is effectively eliminated.”
Essentially, he says, the most effective
approach to data protection is to remove temptation and risk by
completely eradicating the storage, capture and back-office
exposure of all customer data.
“There is a myth that retailers cannot operate
their business or service their customers without full payment
data,” Patel added. “On the contrary, some companies have evolved
to the point where they can operate without transmitting, storing
or processing payment data – they have removed all system and staff
interaction with that information.”
In this regard Patel was referring to payment
tokenisation, an approach that payments processor First Data
recently announced that it was pursuing in an alliance with US data
service specialist EMC Corporation’s security division, RSA (see
Payment tokenisation solutions allow merchants
to transfer all payment data storage to a security–certified
service provider. A payment token and a masked account number are
returned for use by the merchant’s system to reference the
transaction in subsequent actions. Because only a token relating to
each individual transaction is stored, the data is not left
vulnerable to being compromised by insiders, or hacked by
However, while tokenisation is essential in
eliminating payment data, it only solves one element in the data
security process, Patel said. He notes that to eradicate another
data touch-point, merchants should look to hosted payment
“This process enables customers’ payment
information to be captured directly by the payment network,
removing the need for staff or system interaction,” he added.
“This allows a retailer to maintain the
look-and-feel of their brand, while negating the need for payment
data to touch their network. Because customer payment details are
not entered directly onto a merchant’s network, malware installed
on their systems will provide significantly less payload for the
Patel emphasised that protecting
customers’ personal and payment details is absolutely vital to a
company’s brand image and reputation, and that the annual code
freeze presents an opportunity to strategise for 2010 and evaluate
existing payment and fraud management systems.
“Investigating ways to eliminate staff and
system contact with payment information will provide a strategy
that is safer and easier to manage, and less costly to certify,”
said Patel. “Working with a third party to secure customer data
could help merchants mitigate the risk of an expensive data
Pritesh Patel, CyberSource