Banking Review

Politically correct PCI

Australian retailers are making life too easy for fraudsters

BY JOHN BANFIELD

The ecommerce industry in Australia has seen tremendous growth in recent years. Australians have welcomed the trend towards e-retailing and more businesses are selling online now than ever before.

As a result, cardholder-not-present (CNP) transactions have become increasingly popular with consumers who enjoy the convenience of shopping online or by using smart phones. In an unsecure environment, there is a risk that card details can be captured through electronic means and potentially exploited.

The cost of payments fraud
Fraudulent CNP transactions are one of the top business concerns for CFOs. The Australian Payments Clearing Association reports that fraudulent transactions cost Australian businesses more than $55 million in lost sales last year.

Online retailing and electronic transactions have opened the door for cybercriminals looking to take advantage of unsuspecting merchants and consumers.

In addition to lost sales, CNP fraud also impacts an organisation’s administrative overheads such as chargebacks, as well as brand name and reputation. Any information security breach can have long-term consequences for the business. In the case of high-profile data breaches, reputational damage can sometimes be beyond repair.

Globally, the estimated cost of payment card crime to businesses is tens of billions of dollars each year. Recent global findings from the Mercator Advisory Group indicate the average cost for larger merchants per data breach exceeds US$6.65 million dollars, which highlights the huge financial risk.

The Payment Card Industry Data Security Standard (PCIDSS) was developed through collaboration with the major credit card issuers in response to an alarming rise in the theft of payment card data.

Under PCIDSS, all businesses processing payment transactions or storing customer cardholder data must operate in a PCI compliant environment. Failure to do so can have serious ramifications including severe fines. In extreme cases, merchants can also be prohibited from processing payments.

However, despite the financial risks and potential damage to reputation, many merchants remain non-compliant. Some merchants simply lack knowledge on the matter and underestimate the security risks. Others believe their business meets compliance standards, but do not regularly monitor and test their networks for possible problems.

Best practices for ensuring compliance include:

• Building and maintaining a secure network;

• Using management solutions consistent with PCI standards;

• Devising a risk management program;

• Implementing strong access control measures;

• Regularly monitoring and testing networks;

• Implementing an information security policy;

• Investing in technology to securely process payments; and

• Seeking advice from a trusted payment solution provider.

Outsourcing PCI requirements
While every merchant is responsible for ensuring their business is compliant, there is a growing trend towards outsourcing portions of the infrastructure to third-party providers. This can greatly reduce a merchant’s PCI compliance scope and exposure to fraud, and create an additional layer of protection.

Tokenisation
An attractive alternative to managing customer card details in-house is outsourced tokenisation technology. This works by replacing a credit or debit card number with a token or reference number, while the card number is then encrypted and stored remotely on a third party’s database. If the merchant suffers a data breach, the cardholder information is kept secure in the third party’s database and fraudsters are only able to access tokens at the merchant’s end. These tokens are essentially worthless to a would-be fraudster.
Outsourcing tokenisation reduces the scope of the merchant’s liability and PCI audit requirements, offering peace of mind, substantially reducing risk, and likely lowering their PCI audit costs.

Data encryption
The process of encrypting cardholder data occurs from the moment it enters a payments system, such as when a card is swiped through a POS terminal or details are entered on an ecommerce website. Cardholder data is transported in an encrypted form before it is decrypted to process the transaction. Data encryption makes it more difficult for cybercriminals to access cardholder data, providing a more effective way to protect cardholder data and reduce risk.

Hosted payment environment
Many third-party providers offer hosted payments solutions that act as a payments gateway for merchants. These allow transactions to be processed from the merchant’s website but the area where payment information is entered and is processed is hosted outside of the merchant’s environment by the third-party provider. Payments occur in a PCI compliant environment and merchants are thereby able to reduce their own PCI audit scope.

John Banfield id the Senior Vice President and General Manager of TNS’ payments division in Asia Pacific.