Payment SecurityAre You Doing All You Should to Protect Your Customers’ Data?

The Payment Card Industry Data Security Standard — or “PCI DSS” — is a list of guidelines  designed to help organizations safely handle credit card information. It was created by the major card networks with the goal of maintaining secure standards for consumers’ personal account data.

“Guidelines designed to help” makes it sound like PCI DSS is just a suggestion, but that’s not actually the case. PCI-DSS Compliance is mandatory for any organization that accepts credit card payments. In fact, if a data breach occurs, penalties can go as high as $500,000 per incident, on top of $15-25 penalties for each account number involved.

You can’t protect anyone — including yourself — if your payments network isn’t secure.

Firewalls are like digital barriers between your business and cyberattacks that could compromise your internal network payment systems. They can be useful for traffic filtering, virus detection, alerting you to unauthorized access, and many other areas of fraud prevention. It’s one of the most straight-forward tool you can have to protect your network.

Other security could include segmenting your networking, restricting employee access when possible, and making sure your site works on a secure sockets layer.

Tokenization works by hiding important transaction details when they’re being transmitted to other parties.

Essentially, you’re temporarily replacing sensitive info like account numbers with unique generated codes, or tokens. During the transaction, the token is the only thing that gets transmitted. 

The token acts as a reference to the real data, but is ultimately meaningless on its own. The codes are completely random, so they can’t be reverse-engineered. And even if a crook could decode it, the token is only good for that one transaction.

Like tokenization, encryption involves converting sensitive payment card data into an encoded cryptogram for transmission. There’s a difference, though: while the code is unique to that specific transaction, it can only be deciphered using the corresponding decryption key. And the only ones who have the key are the payment processor and you (at least in theory).

It’s like locking the data in a safe before you send it. Since no one else knows the combination, the data is locked and inaccessible, even if the transmission was hijacked en route.

Passwords are the most recognized form of user authentication. That doesn’t mean it’s the best method, though.

Requiring users to enter a specific username and password code can be effective, but only if the code is long, random, and complex. Unfortunately, most consumers go with simple, easily-guessed passwords, which is hardly better than having no password at all.

A one-time password (OTP) does the same basic job as a static password. They just work exponentially better.

OTPs are algorithmically generated codes. In many cases, they can be used in tandem with a traditional name and static password. When the user attempts to log in, your site automatically sends them an additional code to further verify their identity. As you might suspect, the codes are valid for only one login.

Biometrics is the use of unique physical attributes (fingerprints, face recognition, voice recognition, etc.) to validate the user’s ID identity.

Biometrics are much stronger than traditional passwords. But, while it’s nearly impossible to replicate that sort of thing, biometrics are still commonly used in conjunction with an additional form of authentication, such as a password, just to add additional security.

With online payment security, you can't see the card or the cardholder. Card verification values (CVV) are a way to check that the buyer actually has possession of the physical payment card they’re trying to use.

This 3- or 4-digit code cannot be saved in your database; it’s only available on the card itself. If the user can’t enter the correct code, the order is typically cancelled.

Address Verification Service (AVS) is another commonly used fraud prevention tool.

To verify a buyer, it automatically compares the billing address the buyer enters against whatever address the issuer has on file. Matching addresses are OK’d, while mismatches are flagged as potential fraud.

Of course, consumers do have orders shipped to addresses other than their own in a lot of cases. So, while AVS can be effective, it's not perfect.

The 3-domain secure (3DS) structure is yet another standardized way of authenticating card transactions.

Customers can create and assign a password to their card that must be verified whenever a transaction is processed on a 3DS-enabled site. Shoppers are prompted to enter their pre-registered code at checkout. If they cannot enter their password correctly, they may be required to complete an extra step of verification.