If it must be secured, let's be smart on how we go about it
As a retailer that accepts card payments, you are obliged to spend a considerable amount of money on securing your payment systems (as stated in my previous post), but just like tying knots, there are many different ways to secure something, and knowing which approach to follow could prevent a disaster.
Your Qualified Security Assessor (QSA) should already have taken you through the standard questions to identify what sensitive data your organization has, where it is, and whether you need to store or even process it. And then the standard approach they recommend would typically be to segregate the network, encrypt data, and restrict access. But are there smarter approaches to consider (and is it in the QSA’s interest to simplify your PCI audits?)
In our upcoming white paper, we not only discuss descoping systems, outsourcing, tokenization, and point-to-point encryption (P2PE), we also capture the current sentiment and future expectations of retailers with respect to these. If you’re interested to read more, please register to receive your copy.
Unlike tying knots, there is no single best approach and it may be fruitful to implement a combination of multiple approaches; bear in mind too that your environment is unique, and will change over time. In my next installment, I will talk about outsourcing, and answer the question about whether it is possible to outsource your payments system without being shoe-horned into a one-size-fits-all solution (spoiler alert: it is!)
So I’d like to touch here on P2PE and tokenization. Earlier in the year, we ran a webinar, Keep the Hackers Out and Reduce Your PCI Scope with Point to Point Encryption, which explains the concepts; if you’re unfamiliar with them, you can watch a webinar replay here. They are often grouped together as complementary technologies and the questions you should consider before choosing a supplier are similar; however P2PE and tokenization can be implemented independently, and can be provided by different suppliers. The questions center on who owns the data, i.e. who controls the encryption keys loaded onto the PED, and where are they used to decrypt the data? And in the case of tokenization, where is the original sensitive data stored?
By its very nature, P2PE requires the PED manufacturer’s involvement, but should the PED manufacturer also provide the decryption appliance, and the inventory management? Delegating too much responsibility to one supplier could result in you being locked in. Similarly if the decryption keys and/or token vault are held by a 3rd party or PSP, how easily can you move to another provider? What about being able to add support for new payment types like closed loop / prepaid cards, PayPal, etc.? Will you be reliant on your PSP, and what will they charge you per transaction?
If you have any anecdotes to share (anonymous or otherwise), questions or advice, I’d love to hear from you. Thanks for reading this far, and until next time…
Related Blog Posts
How to be a Payments Trailblazer – The Seven Habits of Highly Innovative Organizations
The new Culture of Innovation Index from Ovum and ACI identified segments—from banks to intermediaries to merchants to corporates—at the cutting edge (of innovation) across the payments ecosystem. But what is most notable about those segments that have reached ‘trailblazing’ status is the apparent lack of commonality between them. No one segment, nor one region fosters better innovation. In fact, what’s driving these segments/organizations to be best of breed is their own culture of excellence. The only thing they have in common is their attitude.
Customer Innovation: Erste Bank [Q&A]
The global banking sector is becoming both more strategically focused and technologically advanced, responding to rising consumer expectations while trying to defend market share against an increasing array of competitors. A great deal of emphasis is being placed on digitizing core business processes, and reassessing organizational structures and internal talent to be better prepared for the future of banking.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Issuing and Acquiring in a Real-Time and Open Payments Ecosystem – The Global Picture
Dr Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments, stemming from the findings of the new white paper, Get More from Real-Time. See part one.
Four Questions to Drive Your Retail Banking Payments Strategy in 2019
I keep hearing that it’s “an exciting time to be in payments,” and I certainly agree that there is a lot of noise. However, when I look below the surface, I’d argue that the interesting activity is not with the payment itself, but with all the related events and steps in the value chain.
What Can the Re-Regulation of Other Industries Tell Us About Open Banking One Year On?
UK Open Banking just reached its first birthday milestone (on January 13 to be precise) and given my own commentary – including in the ACI blog – on this topic, the first anniversary of Open Banking in the UK certainly won’t pass without a debrief on the progress that’s been made and what challenges lie ahead.
Instant Payments in Italy – And Beyond: Lessons from Il Salone dei Pagamenti
ACI was invited back to Il Salone dei Pagamenti – Italy’s premier payments event organized by the Italian Banking Association (ABI) – to participate in a panel, “SEPA Inst – the Future.” As expected, the session was packed with stats and advice for a more efficient roll out of instant payments – in Italy and beyond.
To Regulate Or Not To Regulate – Is That Thy Question?
Debates are healthy, and as someone who spent a little time during my college years dabbling around the edges of the speech and debate team, I can tell you it’s something that I personally relish. A chance to really talk through the pros and cons of an argument and lay out the bare facts… and then be judged based not only on those facts, but on the presentation and power of persuasion—sign me up!
Request for Pay – What Does It Mean For Financial Institutions?
What do banks – one with $60B+ in assets, one a mid-size regional bank, and one, a small innovative credit union – have in common with payment networks and the ‘Big 4’ consulting firms? They were all part of the first ACI #PaymentsForBreakfast event in North America! The theme was real-time payments, but the focus was more specifically on Request for Pay.
Why Open Banking Might Need to Rely on a Magic Illusion of 24x7 Availability
The adage “the more things change, the more they stay the same” appears to ring true when applied to the early phases of the evolution of open banking (or open payments). Especially when you contrast it with the early days of ATM withdrawals; particularly those made in the dead of night so you could pay cash for your after-party greasy feast.