Credit cards and debit cards, collectively known as payment cards, have become an increasingly popular option for consumers around the world, and South Africa is no exception. Payment cards are more convenient than cash, and are considered to be far more secure as well. However, anyone who has ever had their card details stolen will attest, payment cards are not risk-free, says Simeon Tassev, MD and QSA at Galix.
The growth of online shopping in particular has drawn the attention of cyber criminals, who frequently target payment processing gateways as a means of stealing payment card information.
This not only causes lost revenue and affects the end user, it can also severely damage the reputation of the online merchant, although it may not be their fault that security was breached. Security throughout the payment process is therefore essential, and compliance with existing standards such as Payment Card Industry Data Security Standard (PCI DSS) should be a priority for any organisation within the card payment chain.
Cyber-crime has become a global challenge, and the payment card industry is an attractive target for these criminals, as the information that can potentially be stolen can be used for nefarious purposes or readily sold on the black market.
The targets of such attacks are often companies known as payment processors, which are effectively an intermediary between the merchant and the bank. These companies receive all of the client’s payment information for processing before this information is then sent to the bank for authorisation. The bank will then perform validity checks before sending the authorisation (or declining the transaction) back to the merchant.
For those with malicious intent, these companies are a veritable treasure trove if a loophole can be found and exploited. Payment processors are often small companies, but due to the volume of transactions they process, criminals can potentially yield significant returns. In addition, because the system is online and automated, there are not many manual checks in place whereby a hack or other breach could be detected. Any breach impacts not only the payment processor, but also any merchant using their services, as well as potentially thousands of end user customers. Payment security should thus be top of mind for anyone in the chain, and compliance with existing standards such as PCI DSS is vital.
The reality is that merchants, payment processors and even customers are unaware of the many ways their information may be stolen. Malware can be implanted on credit card terminals, on servers, end users computers and more, all with the intent of propagating throughout the payment chain and stealing payment information. Various pieces of legislation are already in place requiring compliance with PCI DSS, which is the leading data security standard for the payment industry. PCI DSS covers the entire payment chain, and not just specific elements, which is essential for ensuring payment information does not fall into the wrong hands, as one weak link in the chain can compromise the entire process.
Security checks are essential, and PCI DSS outlines a thorough framework for security, covering the potentiality for all ways of intercepting payment information. This includes physical security, communications, storage and transmission of data and more. To use a simplistic example, if payment card information needs to be transmitted electronically, PCI DSS mandates that this transmission must be encrypted to protect the information. This sounds like common sense, however, many merchants, end users and organisations are guilty of contravening this recommendation – payment card information is often sent via email, which is not secure and is an easy way for hackers to breach this data.
Security systems should enforce policies to ensure PCI DSS compliance, and the technology to do so is already available. For example, if credit card details are received by a merchant via email, systems should automatically block this mail, removing the element of human intervention from the security process. However, while the need for payment security is critical, studies have shown that compliance with PCI DSS is by no means universally achieved. In fact, according to the Verizon 2015 PCI Compliance Report, nearly 80% of businesses fail their interim PCI DSS compliance assessment.
This is often as a result of the increased cost and complexity of compliance, however, the reality is that compliance is fast becoming critical for a number of reasons. This includes legislation mandating compliance, the potential for lost customers and revenue as a result of a security breach, and the eventuality that other elements in the payment process will refuse to do business with a merchant or payment processor that is not secure.
PCI DSS standards provide a framework for ensuring that the highest level of security is implemented at all points along the payment chain. This protects all parties from the consequences of a breach, helping to prevent financial and reputational loss and ensuring customer confidence can continue.