Posted Date: 12/8/2011

Three Tips for Securing Trust

By Caterina Pontoriero
The common saying about payment data security is that it’s a journey, not a destination. It’s impossible to make any system 100 percent secure, but retailers can go a long way toward minimizing both the likelihood and the severity of data security breaches.
As a few retailers have discovered, the consequences of a data breach can be devastating, affecting not just the bottom line but a more precious, less tangible commodity: the customer’s confidence in the retailer. That means data security must move up on the priority list for both well-established and emerging technologies.

Milepost 1: Use Compliance-Enabling Payment Technologies
The Payment Card Industry Data Security Standard (PCI DSS), managed by the PCI Security Standards Council, has established the parameters of the Cardholder Data Environment as the people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. In an October 2011 article Chase Paymentech identified two key compliance-enabling technologies:

• Masking: The use of replacement data to obscure or replace the Primary Account Number (PAN).
• Virtual Terminal: With this technology, cardholder data is captured and stored at a third party location via an authenticated Web page with an SSL-encrypted communication link.

Milepost 2: Minimize In-Store Mobile Payment Risks
The growing popularity of mobile POS has prompted the PCI Council to expand its guidelines for encryption of card-reading devices. The new guidelines provide device manufacturers with a consistent set of data security and encryption standards, according to Bob Russo, general manager of the PCI SSC.

“There are already hundreds of devices to enable remote mobile acceptance of credit cards,” he says. “Merchants looking to buy these devices will be able to look up the vendors with compliant devices on the PCI website, www.pcisecuritystandards.org.”

Milepost 3: Continuously Monitor Payment Acceptance Hardware
The advent of new technologies doesn’t mean retailers should ignore security issues with traditional payment technologies. New York City police recently broke up a crime ring that had “skimmed” credit card data from both physical readers and online transactions, netting them more than $13 million.
There are some simple steps retailers can take to improve security. “As soon as you get a new PIN-reading device from the manufacturer, take a picture of it,” says Russo. “Each month, compare the original picture to what the device actually looks like.” Any changes could indicate that the device has been altered, possibly to allow for data skimming.

Retailers will need to prioritize their security efforts in order to mitigate the biggest risks. But these efforts will be more effective with a corporate mind-set recognizing that in today’s world, all kinds of data have value and thus require their own levels of management and protection.