With customers migrating to a more digital marketplace, merchants are faced with balancing customer experience whilst ensuring they comply with industry standard and protect both parties of the transaction. Shane Fitzpatrick, president and managing director of Chase Paymentech Europe, sets out guidelines to help ensure your payment process is secure from online fraudsters.
Research from the British Retail Consortium, ‘Cost of Payment Collection’, found that the use of alternative payment methods, such as manufacturers’ money-off coupons and PayPal, has more than doubled on the previous year and now accounts for five per cent of all transactions (Source: British Retail Consortium). With this growing trend and an ever-increasing number of transactions being conducted online, it has become vital for online retailers to have secure payment processing platforms. Taking payment systems beyond industry compliance rules from the Payment Card Industry Data Security Standard (PCI DSS) by implementing additional security measures has now become necessary in order to help protect future online business growth.
Fraud impacts nearly eight in every ten international online retailers (Dynamic Markets: Putting Customers First, March 2013). In May 2013, the Federal Reserve indicted eight men for netting $45 million by hacking credit card processors in the U.S. and India. Fraudsters know no boundaries and the threat faced by online retailers in the U.S. and India is the same threat facing online retailers in Russia, Brazil, China, Ireland or the U.K. Fraud hampers prospects for growth, restricts profitability and increases overhead costs. But with the right tools, intelligence and strategy, retailers can effectively detect and manage fraud. Effective fraud management can enhance efficiency and productivity and can allow online retailers to focus on expanding their businesses into new countries and markets.
As we continue to migrate to a more digital marketplace, Chase Paymentech has found that merchants are facing a new challenge – mobile commerce and social media. Online retailers are now required to balance customer convenience with the need for data security compliance within their organisation.
Our experience has demonstrated that when it comes to maintaining data security in merchants’ environments, there is no one-size-fits-all approach for adhering to the industry’s global standard PCI DSS. Chase Paymentech has therefore provided guidance to help European online merchants upgrade security and reduce compliance costs while protecting customers’ payment information.
Our guidelines are designed to enhance the security of payment transactions for both retailers and their customers. A comprehensive security strategy is paramount when it comes to ensuring the success of a business. That strategy will vary depending on the size, type and processing capabilities of the business. Additionally, as the sales channels and environment shift rapidly, strategies will need to accommodate this shift and evolve accordingly.
Meeting compliance requirements in the card-not-present environment can be difficult for many organisations. Many solutions available in the market serve only to satisfy the need for PCI DSS compliance and do not take into account the overall consumer experience.
According to a recent survey conducted by Cisco, educating employees on the proper handling of cardholder data is the main cause for concern when it comes to maintaining and achieving PCI compliance (see chart below), and therefore should be given the most attention when it comes to successfully executing a strategy (Source: Cisco, Organizations See PCI as a Benefit, not a Burden 2011*).
(Chart source: Cisco, Organizations See PCI as a Benefit, not a Burden 2011)
However, when looking at PCI from a more comprehensive perspective, the majority of IT decision makers surveyed did not feel that the PCI requirements are in any way unreasonable. In fact, 70 per cent of participants surveyed feel their organisation is more secure than it would be if PCI were not required, with the vast majority (87%) going so far as to say that PCI compliance is necessary for optimal performance and data security (Source: Cisco, Organizations See PCI as a Benefit, not a Burden 2011.
Ultimately, the PCI standards are designed to protect not only cardholder data, but also the bottom line. Compliance with these standards applies to all systems, staff and processes involved in the handling, transmitting and storing of payment data. Businesses that accept credit card payments can choose to manage that process themselves, a costly and resource-intensive path, or seek to shift that responsibility to a trusted industry expert. But regardless of the avenue with which they chose to pursue data security, the end result justifies the means.
Three steps to secure payments:
- Educate the workforce – ensure clear policies are in place regarding the handling of cardholder data and technology usage in order to maintain secure data. Employees must be aware of the proper usage of technologies by employees, vendors, and anyone else who uses the network.
- Robust system – Creating a secure, seamless and compliant payment experience can be a complex, expensive and recurring task. The system must make it easy to capture sales, protect customers’ payment account data and provide a payment experience that inspires confidence – all while helping to meet PCI compliance standards.
- Tokenisation – This helps to minimise the burden on IT resources while providing the ultimate flexibility to brand and design the customer payment experience. Tokenisation addresses cardholder data at rest (in storage) by replacing the primary account number (PAN) with alternative identifiers (or tokens). The processor generates a token that replaces the card number and returns it to the merchant for use in a more secure manner helping to reduce exposure and helping ensure PCI compliance.
How to integrate and accommodate these technologies will depend on the business, culture and revenue models. Regardless of the type of business, PCI compliance should always be viewed as a business requirement and best-practice, not a one-time, stand-alone IT issue.
Ultimately, there is no quick-fix approach to both achieving and maintaining compliance. It is an on-going process that begins at the strategic level. As such, it is important that merchants address both the business side (e.g., process and payment flow) and the appropriate technological counterpart to ensure the security of payment data. The combination of tokenisation and a dynamic payments page provides the greatest likelihood of significant, long-term data security and PCI scope reduction.
Shane Fitzpatrick is the President and Managing Director of Chase Paymentech Europe Limited
Chase Paymentech Europe Limited, trading as Chase Paymentech, is regulated by the Central Bank of Ireland.
The information herein does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of this document shall make its own independent decision.
© 2013, Chase Paymentech Europe Limited. All rights reserved.
*Research data used with the permission of http://thenetwork.cisco.com/