Looking Beyond PCI Compliance: More Ways to Increase Security

March 6, 2017

In the past few years, there has been a significant effort to curb debit and credit card fraud, especially through the integration of mobile and EMV payment processing.

In the past few years, there has been a significant effort to curb debit and credit card fraud, especially through the integration of mobile and EMV payment processing. However, while these platforms tend to be effective shields against bogus payments, merchants should still seek to do more when it comes to ensuring they and their customers aren’t hit by fraud on a regular basis.

The fact is that cybersecurity should be of the utmost importance to merchants simply because it is becoming more pervasive all the time, according to Retail Dive. Increased connectedness also increases the likelihood that data can be stolen or services can be otherwise disrupted. Today, nearly 9 in 10 online attacks are focused on financial data or espionage, and global loss from these crimes could grow to as much as $6 trillion in the next four years.

What Does That Mean for Merchants Large and Small?
Unfortunately, while it’s the big-name companies that grab headlines with data breaches – Target was famously breached for an attack that allowed crooks to make off with payment data for 42 million shoppers – smaller companies are very much at risk as well, the report said. And to that point, it must be noted that Target has the financial capability to invest millions of dollars in security each year, which is a luxury that vast majority of merchants simply can’t come close to affording.

A poll of big retail executives conducted found that 100 percent of them think data privacy and security are huge business risks, up from just 55 percent five years earlier, the report said. However, security experts say far more needs to be done than just addressing the basics.

“We still see a lot of retail organizations putting their eggs into the PCI basket,” Paul Truitt, vice president of cybersecurity services at managed network solutions firm SageNet, told Retail Dive. “The feeling is that they’ve secured their organizations by meeting PCI compliance requirements, but in reality, the vectors of attack are outside what PCI mandates needs to be done. When you think about security programs focusing only on PCI at best, we’re going to see a lot of data continue to be exposed.”

Efforts to improve payment and overall system security go beyond PCI compliance.Efforts to improve payment and overall system security go beyond PCI compliance.

Other Ways to Increase Security
The good news for smaller firms in particular is when it comes to dealing with non-PCI security issues, there are a number of good places to start, according to ANZ Blue Notes. Perhaps the most important, though, is that workers should be trained in the best way to handle payment card information and other data on an ongoing basis, no matter what level of the company they work on. The more that can be done to get everyone on the same page, the better off companies will be when it comes to properly protecting data.

This necessity becomes quite apparent when considering the ways in which threats are evolving, according to PYMNTS. As it becomes more difficult for thieves to obtain payment data through their traditional methods, they become more creative in their attempts to crack payment systems. Many have taken to attacking smaller targets like independent retailers, but others are trying to use phishing scams and malware assaults such as ransomware to meet their goals. Training workers in the right way to identify and avoid these pitfalls will therefore be crucial to ongoing security success.

Another type of evolving threat is the way in which thieves try to install skimming devices on traditional point-of-sale machines, which creates massive problems, PYMNTS further noted. And while EMV-enabled cards were supposed to address this issue to a large extent, the new threat of “shimming” devices has already started to crop up, less than 18 months after the EMV liability shift went into effect. For this reason, it’s also a good idea to train workers in the best ways to identify when POS card readers have been in some way tampered with, and to encourage them to routinely check to make sure all is as it should be.

Dealing With Reality
However, experts also recommend that companies must do what they can to put contingency plans into place for when they hit with attacks, according to Hawaii Business. The fact is that the vast majority of businesses are at least targeted by criminals these days, probing for any weaknesses they can find. As such, it’s smart to have a response plan in place, but also basic plans to keep security as tight as possible on a regular basis. The more that can be done to plan for the worst, the better off companies will be when it actually arrives.

Last year alone, the number of consumers hit with some sort of identity theft climbed about 16 percent from the year before, to some 15.4 million victims, according to Javelin Research. That represented about 1 in every 16 Americans. Moreover, with the rise of EMV and mobile, it seems that when criminals do obtain consumers’ personal information, they use it to open new card accounts so that they can simply use an account in their victims’ names without that person even being aware of it. Only about 1 in 4 such victims learned of this type of fraud when checking their credit reports or being contacted by a debt collector.

With all this in mind, it’s vital to the ongoing financial health of smaller merchants that they do all they can to identify their security risk points regularly, and address those issues in a timely fashion. This will help them avoid hacking attacks and other types of fraud, providing greater peace of mind moving forward.

Back To Blog