Entries tagged with “tokenization”.


More than ever, it seems that individuals have either had their credit card information stolen or knows someone who has had their credit card information stolen. It is vital that you protect your credit card information and identity in today’s technology-based marketplace.

Pitfalls of Old Security Methods

For many credit and debit card users, it wouldn’t be reaching to guess they have been using the same cards for years. And, while their credit cards are remaining unchanged, hackers are using technology to find more advanced methods for stealing private information from consumers.

It isn’t just the credit cards which remain the same, security measures have been inconsistent, outdated, and faulty, putting card users at risk of having the information stolen. We have seen the consequences of faulty security measures in retail security breaches, which have left many with the responsibility of trying the mend the damage done to their credit.

Implementation of New Methods

New security methods are currently in place or just around the corner, with big changes expected as soon as 2020. What can we expect with the impending credit card security transformation?

  • Tokenization: In the future, all credit cards with use a smart chip instead of the traditional magnetic strip. This chip uses tokenization, meaning the chip creates a one-time transaction code for each payment. Tokenization removes the account number from the equation, and chip-enabled cards are expected to be much more secure.
  • PIN as standard: Debit cards require the use of a PIN for transactions already, and new credit cards are beginning to require consumers to use a PIN to make a payment as well. It is believed that use of a PIN will quickly become a global standard for debit and credit cards alike.
  • One card for multiple accounts: With time it will become common to use one card to manage multiple accounts. This change is expected to reduce risks of loss, theft and fraud. Additionally, it will simplify card management for users and reduce costs for credit card companies.

How You Can Prepare with EnsureBill

With so many changes to credit card security in the not-so-distant future, it is important that individuals and businesses are prepared to protect credit card information. The use of a payment facilitator through ProPay, which takes advantage of the advances these credit card security trends have made, is an excellent way to make sure credit card information remains secure. Payment facilitators are used to compiling credit card information on a secure server, which will prevent this information from falling into the wrong hands.

ProPay uses point-to-point encryption and tokenization to guarantee that credit card information is safely transmitted from the merchant to the payment facilitator. Point-to-point encryption simply means that credit card information is immediately encrypted at the point of input and is not decrypted until the payment facilitator processes it. Tokenization replaces sensitive data with non-sensitive data, so that only those who have token access can gain access to sensitive information.

EnsureBill is a service provided by ProPay to companies with customers who make automatic payments. EnsureBill is a secure and streamlined system for storing customer credit card information for recurring payments. Use of EnsureBill is shown to reduce declined transactions by maintaining customer credit card information.

Conclusion

There may never be a guaranteed way to keep credit card information safe 100% of the time, but payment facilitators have multiple credit card security measures in place which keep customer credit and debit card information secure. As credit card security measures are transforming over the next few years, make sure you choose a company that makes keeping your or your customer’s information secure its top priority.

“The times are tough now, just getting tougher  - This old world is rough, it’s just getting rougher - Cover me, come on baby, cover me” – Bruce Springsteen 1984

Businesses work very hard to build their brand.   Small businesses are no different.  Establishing trust and loyalty among the customer base is essential to the longevity of any business.  Many companies focus on marketing and sales relationships to ensure that connection between customer and company continues to grow.  Social media, direct mailings, radio and tv advertising, print advertising, and data security and privacy policies all contribute to the growth of brand trust.  What a minute!  Did I say data security and privacy policies?  You betcha!  This is what I like to refer to as “brand security.”  Businesses spend an inordinate amount of time and money on establishing a brand that customers trust.  One of the fastest ways to lose that trust is to suffer a data security breach or to violate customer privacy.  For that reason, I often refer to data security and privacy programs as “brand cover.”

I’m going to borrow heavily, and probably poorly, from law enforcement and military actions here.  When you go into action, you generally have a forward team and then you have a team that provides “cover.”  This team keeps an eye out for threats that may not be visible or apparent to the forward team, but pose significant risk.  In the business world, one can think of your sales and marketing efforts as the forward team, while data security and privacy programs provide the cover.  You marketing and sales efforts move the company forward and increase awareness.  Your data security and privacy programs help to mitigate unseen, and sometimes unknown, risks to your brand’s integrity.  In fact, some larger organizations, particularly not-for-profits, are more concerned about brand damage in the event of a security or privacy compromise, than they are the fines that may be associated.

For small businesses, implementing and enforcing data security and privacy policies can seem daunting.  The Better Business Bureau, though, has put together a primer for businesses to help them develop these programs.  If you accept debit and credit card transactions, you can look for services to help minimize how much of that sensitive payment data your business stores.  You can also undertake an inventory to see just what data you are collecting and storing and how you are protecting it.  You can also evaluate the partners that you use and how you share data with them. Understanding your data can ultimately serve as a very effective means of protecting your company, your brand, and your customers.

When we talk about the protection of data, particularly sensitive personal information like credit card or social security numbers, we often focus on “digital data.”  By digital data, I mean that data that is stored in our networks and computers, our POS systems and other “networked” appliances.  It’s easy to lose sight of the fact that copiers, printers, and fax machines are often “networked appliances,” complete with memory.  That means that it is conceivable that when you send a fax or make a copy, that appliance could retain that data in its memory.  As a result, that appliance now represents a point of vulnerability for the network.

The ability of these devices to store data should also be a consideration with looking to lease or buy previously used equipment, particularly when buying or leasing used POS equipment.  You may be introducing someone else’s liability into your secure environment.  This is where having proper policies and procedures becomes vitally important.  Merchants should have a process for evaluating security options on the device or equipment (does it allow for overwriting or encrypting the data in memory?); security procedures should also be in place to ensure that the device memory is regularly overwritten to avoid data leakage.

The PCI DSS specifically requires that companies “Protect Stored Cardholder Data Wherever it is Stored.”  Unfortunately, as our businesses grow, that often means that our cardholder data environment grows along with it.  Information security policies and processes become more and more important.  It can also be helpful to find strategies for limiting the size of the cardholder data environment.

“When good people…cease their vigilance and struggle, then evil men prevail.” - Pearl S. Buck

When I was learning to ride a motorcycle my instructor gave me one piece of advice that always stayed with me.  He said “keep your head on a swivel.”  In other words, while I had to make sure that I was doing everything I should be doing, I also had to make sure that I was constantly looking out for what other people may be doing.  That way I could correct my course, or at least take some action to ensure that what the other people were doing wouldn’t put me in danger.  While this is certainly good advice for riding motorcycles, it is also good advice for data security.  It may seem like a stretch, but bear with me.

In securing our customers’ payment data, we have a guideline (actually a set of fairly stringent requirements) in the form of the Payment Card Industry Data Security Standards (PCI DSS).  To learn more about these standards visit this site.  Following these guidelines ensures that we are doing what we “should” in terms of protecting the data.  But that doesn’t mean that others won’t be taking action to put you (and your data) in danger – in the form of data compromise.  That means that you have to stay vigilant for what others might be doing – “keep your head on a swivel” –  to ensure that you are addressing newly identified risks and vulnerabilities that may not be addressed by the guidelines.

Recent trends indicate that small merchants are increasingly becoming targets of data thieves.  In a recent interview, Vantiv Vice President David Mattei stated, “…now we’re seeing an increase in the number of breaches in which smaller numbers of cards are compromised. Small, independent merchants are being targeted because of the ease with which fraudsters can compromise those payment systems.” That means that as small merchants, even if we are PCI DSS compliant, we must remain vigilant against potential attack.  One way to foil the fraudsters in this case is with the use of a P2P Encryption and tokenization solution. In this instance, the data is removed from the merchant system and replaced with “tokens,” or abstract representations of the cardholder data.  While merchants can still use the data to run reports, issue refunds or fight chargebacks, data thieves would find the tokens to be worthless.

The lesson in all of this is that we must remain on guard against new threats, even if we are doing everything “by the book.”  Leveraging secure technologies like tokenization can help ease the burden of compliance and render you and your customers more secure in the long run.

We spend a lot of time talking about what to do to prevent a breach of networks or computer systems.  This discussion has been, and continues to be, very valuable.  It is discussions like this that have allowed the payments industry to develop solutions like ProtectPay, ProPay’s secure payment solution.  ProtectPay, for instance, allows merchants to accept payment card transactions without storing, processing, or transmitting payment card data.  The benefit of such a system is tremendous.  Not only does it allow companies to significantly reduce the costs and resources necessary to achieve PCI DSS compliance, but it also reduces the risk associated with a breach.  If a merchant using a properly configured tokenization solution is breached, there is no data there to be stolen.  The merchant has only value-less tokens, not valuable cardholder data.  Unfortunately, tokenization isn’t yet universally employed.  That means that there are quite a few merchants operating today that still have cardholder data in their systems.  And while the conversation about preventing a data compromise is important, an important question still remains: What happens after the breach?

Experian and the Ponemon Institute teamed to answer that question.  The results can be found in “The Aftermath of a Data Breach.” (Registration is required to download the study.)  Of the companies studied, 45% indicated that the company lost bank or credit card information, and 60% of respondents indicated that the data that was stolen was unencrypted.  Additionally, the study found that 34% of breaches studies were the result of a “negligent insider.” This seems to support the notion of using a tokenization solution.    It should be noted that 19% of responding companies suggested that “outsourcing data” was the cause of their breach.  Most tokenization solutions do require the outsourcing of data, so how can these two findings be reconciled?  There are two important concepts that readers should keep in mind.  The first are the statistics and the second is due diligence.

The statistics are interesting.  The findings tell us that 60% of respondents lost unencrypted data.  That likely means that at least some of the outsourced providers that were cited as a cause of the breach were not securely storing the data.  Another interesting finding is that a full 50% of breaches were caused by insiders (negligent insiders 34% and malicious insiders 16%).  The other concept that one should keep in mind when reading the study is the concept of due diligence.  Outsourcing data is a big decision for any company.  It is advisable to do a significant amount of research into the potential vendor.  For example in the payments industry, companies that store, process or transmit cardholder data on behalf of a merchant is called a service provider or a data storage entity.  Regardless of the terminology, the company must be compliant with the PCI DSS and be registered with the card brands.  Ensuring that potential partners meet these requirements can substantially mitigate potential risk on behalf of the merchant.

The study is a very interesting read and has important lessons for those companies that store sensitive data.  Perhaps the most important lesson is this: If you don’t need the data, don’t store it!

Dr. Heather Mark, PhD; Sr. Vice President Market Strategy