If it must be secured, let's be smart on how we go about it
As a retailer that accepts card payments, you are obliged to spend a considerable amount of money on securing your payment systems (as stated in my previous post), but just like tying knots, there are many different ways to secure something, and knowing which approach to follow could prevent a disaster.
Your Qualified Security Assessor (QSA) should already have taken you through the standard questions to identify what sensitive data your organization has, where it is, and whether you need to store or even process it. And then the standard approach they recommend would typically be to segregate the network, encrypt data, and restrict access. But are there smarter approaches to consider (and is it in the QSA’s interest to simplify your PCI audits?)
In our upcoming white paper, we not only discuss descoping systems, outsourcing, tokenization, and point-to-point encryption (P2PE), we also capture the current sentiment and future expectations of retailers with respect to these. If you’re interested to read more, please register to receive your copy.
Unlike tying knots, there is no single best approach and it may be fruitful to implement a combination of multiple approaches; bear in mind too that your environment is unique, and will change over time. In my next installment, I will talk about outsourcing, and answer the question about whether it is possible to outsource your payments system without being shoe-horned into a one-size-fits-all solution (spoiler alert: it is!)
So I’d like to touch here on P2PE and tokenization. Earlier in the year, we ran a webinar, Keep the Hackers Out and Reduce Your PCI Scope with Point to Point Encryption, which explains the concepts; if you’re unfamiliar with them, you can watch a webinar replay here. They are often grouped together as complementary technologies and the questions you should consider before choosing a supplier are similar; however P2PE and tokenization can be implemented independently, and can be provided by different suppliers. The questions center on who owns the data, i.e. who controls the encryption keys loaded onto the PED, and where are they used to decrypt the data? And in the case of tokenization, where is the original sensitive data stored?
By its very nature, P2PE requires the PED manufacturer’s involvement, but should the PED manufacturer also provide the decryption appliance, and the inventory management? Delegating too much responsibility to one supplier could result in you being locked in. Similarly if the decryption keys and/or token vault are held by a 3rd party or PSP, how easily can you move to another provider? What about being able to add support for new payment types like closed loop / prepaid cards, PayPal, etc.? Will you be reliant on your PSP, and what will they charge you per transaction?
If you have any anecdotes to share (anonymous or otherwise), questions or advice, I’d love to hear from you. Thanks for reading this far, and until next time…
Related Blog Posts
How Italian Banks and Processors Can Capitalize on Digital Transformation
The European payments landscape is in an era of significant change thanks to PSD2 and other macro factors, but there is more than one way to deliver real-time and open payments to meet PSD2 requirements and its technical standards. Banks and processors must manage this alongside their own set of domestic challenges and opportunities.
Overcoming Cyber Threats to Payments Security
Recently, Gene Scriven, chief information security officer at ACI, spoke at NACHA Payments 2019 on the ever-changing landscape of cybersecurity. Here are a few highlights from his session, including the impacts of cybersecurity breaches, today’s emerging threats and the new strategies to keep your organization safe.
Removing Gender Bias and Enabling Women to Succeed in Leadership Roles
The recent UK Women in Payments (WIP) Symposium 2019 took place in London, recognizing unique leaders who help uplift women in the payments industry. Among those recognized was ACI’s Melissa McKendry, vice president, Retail Banking Implementation Services, who was honored by WIP as the 2019 Advocate for Women.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Payments and Fraud: The Paradox Twins
Digital commerce through web and mobile is where merchants predominantly experience shopper growth today. This has become a hugely important domain for their focus. It offers a means for international growth, new market penetration and a way to engage with shopper-hungry Millennials in their culture. Merchants frequently adopt a Digital-First, eCommerce-First or Mobile-First strategy to ensure full corporate buy-in to this strategy.
Open Payments Systems for Merchants: Don't Close Down Your Options
Remember “Open Systems”?
It was a big industry nom du jour in the 80s and 90s. Every IT system had to be open and therefore flexible and future-proof. Nobody can argue with the logic behind this; making systems easy to integrate with other systems, ensuring vendors could cooperate with one another; creating agility to improve time to market and drive down costs.
Issuing and Acquiring in a Real-Time and Open Payments Ecosystem – The Global Picture
Dr Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments, stemming from the findings of the new white paper, Get More from Real-Time. See part one.
Why It’s Time for Women to Rise UP
As a senior software engineer at ACI Worldwide, Rawan Shawar helps to guide her team’s priorities and enhance processes at both the team and organizational level. Recently, Rawan was selected by the organizers of Money20/20 Asia to be part the Rise Up Class of 2019.
Can Digital Payments Be Kind?
There is no doubt that the era of less (or minimal) cash is truly upon us. According to the Access to Cash Review, cash could fall to just 10 percent of all payments in the UK within the next 15 years.
Other countries, such as Sweden, have already seen significant changes – cashless payments have grown so quickly that only 10 percent of the 20 SEB banks in Stockholm now hold cash. Beyond Europe, China is leading the way with USD$12.8 trillion in mobile payment transactions in 2018.