Looking Beyond PCI Compliance: More Ways to Increase Security

Nicholas Ferrari on 04/16/2019

In the past few years, there has been a significant effort to curb debit and credit card fraud, especially through the integration of mobile and EMV payment processing. However, while these platforms tend to be effective shields against fraudulent payments, merchants should still seek to do more to ensure they and their customers aren’t affected by security breaches.

The fact is that cybersecurity should be of the utmost importance to merchants simply because it is becoming more pervasive as consumers continue to move toward an all-digital presence. But unfortunately, increased connectedness also increases the likelihood of hackers accessing sensitive data.

 

What Does That Mean for Merchants Large and Small?

While big-name companies grab headlines with data breaches, smaller companies are very much at risk as well. And to that point, it must be noted that large corporations have the financial capability to invest millions of dollars in security each year, which is a luxury that the vast majority of merchants simply can’t come close to affording.

A poll of prominent retail executives found that 100 percent of them think data privacy and security are substantial business risks, up from just 55 percent five years earlier, the report said. However, security experts say far more needs to be done than just addressing the basics.

The efforts to improve payment and overall system security go beyond Payment Card Industry (PCI) compliance.

“We still see a lot of retail organizations putting their eggs into the PCI basket,” Paul Truitt, vice president of cybersecurity services at managed network solutions firm SageNet, told Retail Dive. “The feeling is that they’ve secured their organizations by meeting PCI compliance requirements, but in reality, the vectors of attack are outside what PCI mandates need to be done. When you think about security programs focusing only on PCI at best, we’re going to see a lot of data continue to be exposed.”

 

Other Ways to Increase Security

The good news for smaller companies, in particular, is that when dealing with non-PCI security issues, there are several good places to start. Perhaps the most important, though, is that workers at every level should be trained in the best way to handle payment card information and other data on an ongoing basis. The more that can be done to get everyone on the same page, the better off companies will be when it comes to protecting data appropriately.

As it becomes more difficult for thieves to obtain payment data through their traditional methods, they become more creative in their attempts to crack payment systems. Many have taken to attacking smaller targets like independent retailers, but others are using phishing scams and malware assaults such as ransomware to meet their goals. Training workers in the right way to identify and avoid these pitfalls will therefore be crucial to ongoing security success.

Another evolving threat is the way thieves try to install skimming devices on traditional point-of-sale machines, which creates massive problems. And while EMV-enabled cards were supposed to address this issue to a large extent, the threat of skimming devices started to crop up less than 18 months after the EMV liability shift went into effect. For this reason, it’s also a good idea to train workers in the best ways to identify when POS card readers have been tampered with and to encourage employees to routinely check devices to make sure all is as it should be.

 

Dealing with Reality

However, experts also recommend that companies do what they can to implement contingency plans for when they are hit with attacks. The fact is that the vast majority of businesses are at least targeted by criminals these days, probing for any weaknesses they can find. As such, it’s wise to have both a response plan and standard procedures to keep security as tight as possible. The more that can be done to plan for the worst, the better off companies will be when it arrives.

With all this in mind, it’s vital to the ongoing financial health of smaller merchants that they do all they can to identify their security risk points regularly and address those issues promptly. These proactive measures will help them avoid hacking attacks and other types of fraud, providing greater peace of mind moving forward.


Connect with Us

With business activities in 50 markets and 150+ currencies around the world, EVO is among the largest fully integrated merchant acquirers and payment processors in the world.