Payments security is top of mind for most merchants in the U.S. But what’s new? What should merchants be aware of about payment security? What do merchants need to know about PCI and their latest security standards? We caught up with Dr. Robert Martin, Chief Technology Officer at Ingenico Group to shed some light into payment security related issues that all merchants should know including new PCI requirements.
Watch the video below:
How concerned are merchants today about payment security in general?
How concerned are merchants are in security really depends on the type of merchant. I think your big merchants, your retailers, your mid-tier, your hospitality merchants, and your big restaurants are very concerned. The breaches that have occurred over the last several years have focused everyone tightly on payment security. When you get to the SMB, your small and medium-sized businesses, they’re not as concerned as they should be. But they’re getting the realization on it through some of the compliances that are being pushed by the card brands and the PCI SSC. They may think they don’t need to worry about security but if they get hit, it’s a very costly exercise for them.
How should merchants address their payment security concerns?
The best way to address the payment security concerns is to devalue the data anywhere that you can. You devalue the data by going through things like point-to-point encryption (P2PE). Your major retailers, your big entities, your hospitality providers and your restaurants have been incorporating it which is good. But it’s just as important when you get down to your small and medium-sized businesses that they devalue the data because, if the criminals can’t make money off of your data, they’ll move on to someone else. They’re there to make money.
What are some myths regarding payment security that exist in the industry?
One of the biggest myths has come with the EMV transition is the belief that incorporating EMV is protecting the card holder data. EMV and point-to-point encryption and for those who have a need to store card holder data, tokenization really go together. Those are the three legs of the security stool that every merchant should be incorporating. EMV protects them from counterfeit cards or they’re already in the ecosystem. Point-to-point encryption protects card holder data they accept, and tokenization allows them to keep their card holder data as appropriate for business purposes without having it be vulnerable to a breach. By incorporating these three, merchants are protecting their consumer’s data and their customers.
Why is it important for merchants to be aware of the latest PCI requirements?
One of the biggest reasons that merchants want to pay attention to compliance and the latest standards is as the threats evolve, the standards from PCI evolve. They come out with updates and sometimes their updates are because of an evolving threat out there to merchants. The goal for merchants should not be to be compliant, it should be to protect their cardholder data. That’s their customer’s data that they are protecting. The securing of the cardholder data leads them to compliance. That’s how it should be approached. Work on the security side first and compliance will follow.
How can merchants reduce their overall PCI scope?
There are a couple of different strategies and we like to talk about. Multi-layered security: as part of what merchants should be doing in order to increase security and reduce our compliance burden, look at things like point-to-point encryption, potentially semi-integrated. Add in the multiple layers of security so that if someone were to get access to their network, they get nothing of value. That’s one of the most important pieces.
What are some of the latest PCI DSS updates that merchants should know?
Here at the end of October 2016, merchants are going to need to be using PCI DSS 3.2. There are some new requirements in 3.2 that come into effect in 2018. There’re some updates that are relevant now. I think the biggest one for merchants at the point of acceptance, at the point of sale, at the check-in desk in hospitality or at the table for Pay-at-the-Table - is that the requirements on patching now include the payment application that can no longer be treated separately. That was one of the big changes that would most directly affect the front of the house for merchants in 3.2.