October 19, 2020 - PCI Compliance is a recurring topic that feels like a thorn in everyone’s side.
It comes up again and again during conversations and integrations and it’s is an important discussion to have. There are many PCI compliance standards that you may have heard of including PCI DSS, PCI PTS and so on. These standards were designed to keep payment solutions in check and make sure the sensitive card data remains safe.
The PCI DSS, for example, refers to the Data Security Standard released by the PCI Council that are put in place to ensure that all businesses that accept, process, store or transmit cardholder data (i.e., credit card information), do it in the safest way possible. By following these regulations, merchants can better protect their payment infrastructures from data breaches.
But, PCI Compliance is not enough anymore. Threats from criminals are constantly evolving and becoming more sophisticated. Businesses need to take additional security measures to protect sensitive cardholder data and their payment technology investments.
Here are a few ways businesses can protect their payment infrastructure:
1. Take a Semi-Integrated Approach
A semi-integrated approach reduces the communication between the terminal and the electronic cash register (ECR) to nonsensitive commands. Sensitive card data is isolated, encrypted and directly sent from the terminal to the intended processing hosts or gateway. This way, the payment card data never touches the point of sale (POS) system, keeping it safe from any vulnerabilities. The semi-integrated approach also keeps the POS system out of the PCI audit scope, saving businesses time and money.
2. Use Point-to-Point Encryption (P2PE)
Payment data can be stolen in many ways and a common way these thefts happen is when the data is in transit. A P2PE solution helps protect the card data while it is on the move during the payment process. It is an industry-proven solution that helps protect sensitive card data from cybercriminals.
3. Use Tokenization
To complement P2PE, tokenization helps protect the card data at rest. It replaces the sensitive information with a secure encrypted token, protecting it from cybercriminals. After many data breaches over the years, current PCI standards do not allow businesses to save and store credit card details unless they are tokenized on their POS system or databases after a transaction. If the open data is stored and stolen, it can be used to create counterfeit cards. When this data is tokenized, it becomes useless to any cybercriminal as it can only be decoded by the payment processor. Storing tokenized data helps retailers associate these tokens to specific customers and can further enable them to study spending patterns without compromising the security of sensitive credit card information.
4. Use Mobile Device Management (MDM)
In a lot of instances, many businesses may use consumer-grade mobile devices to work with their POS systems. This is where MDM can come in handy. MDM, or mobile device management, is a type of security software that allows businesses to remotely deploy and securely manage their mobile POS solutions. This software solution also helps businesses protect their mobile POS solutions from security threats.
5. Train Your Employees
Sometimes the biggest breaches can be caused by simple negligence on the part of the ignorant staff. A staff member picking up a random flash drive and plugging it into their computer is a simple example that can be catastrophic for the business. Employees also need to be aware of the possibility of device tampering, which allows criminals access to sensitive information.
Businesses need to routinely inspect their public-facing devices for signs of tampering to avoid data thefts or breaches. Effective training of employees regarding basic security protocols can help curb such mistakes and better protect your business. Security threats will keep evolving and so will the solutions built to fight them. It is important for businesses to be aware of these changes and developments to stay one step ahead of cybercriminals.
This content was developed in partnership with Ingenico Group, a leading provider of secure payment solutions.