Building an Effective Payment Card Data Security Strategy
The need to secure payment card data has never been more critical. Coordinated global attacks are driving costs associated with payment card fraud up at an alarming rate. The industry lost $5.3 billion to payment card fraud in 2012, up from $3.6 billion in 2010. Financial institutions must actively protect payment card information. Let's explore six important components of a comprehensive payment card data security strategy.
Cardholders need to know that their account information is safe and that they have zero liability for any unauthorized transactions. This messaging is especially important when stories about data breaches are in the mainstream media. The cornerstone of any data security strategy should be initiatives to retain trust and messaging to communicate these efforts to members/customers.
The payments industry has developed a set of standards to safeguard payments data. Detailed in 12 separate requirements, the PCI-DSS applies to all entities that handle payment card data. It is important to verify that merchant members/customers are adhering to these requirements. The practical manifestation of the rules is “common sense” – do not write down card numbers, do not let cards leave the cardholder's sight, and password-protect stored card numbers.
The industry has adopted a global standard for chip-based cards, also called EMV. EMV cards are almost impossible to counterfeit and offer more security than a magnetic stripe to store sensitive payment card information. Every issuer should have a deliberate strategy to ensure their payment cards are secure before the October 2015 deadline.
New EMV cards will require new EMV point-of-sale terminals. To spur the adoption of EMV point-of-sale terminals, the major payment networks will change the liability for disputed counterfeit card transactions, shifting liability to the party with the least secure payment technology. Actively encourage your merchant members/customers to upgrade their POS terminals. Once a merchant has deployed EMV terminals, they are safeguarded against the upcoming liability shift.
CNP Data Protection Tools for Cardholders
Consumers are shopping more online and using physical plastic cards less frequently. One of the greatest risks is when consumers enter their card credentials on a website or in a mobile app, and this account information is then stored – and at risk of compromise. To address this weakness in the payments market, several companies have developed e-wallets, allowing cardholders to store payment card details in a virtual account, keeping card details from being shared with merchants. You can also consider providing the ability to use temporary card numbers, with fixed limits and validity.
CNP Data Protection Tools for Card-Accepting Businesses
The experience from countries that have migrated to EMV shows that fraud tends to migrate to the weakest link in the system, typically CNP channels. As the U.S. moves to chip cards, it will be even more important for merchants to ensure the legitimacy of CNP payments through the use of fraud management tools such as AVS, CVV2 and real-time transaction risk scoring. Educate your merchants on these emerging data security capabilities, providing the right solution to the particular business environment.
There is no silver bullet to payment card data security. A multi-faceted approach, securing both consumer and business channels, and working in partnership with your payment processor, has the best chance of success.
Stephanie Ferris is senior vice president and general manager for Vantiv's Financial Institution Merchant Services. She can be reached at 513-900-4212 or firstname.lastname@example.org.