As the Internet of Things (IoT) connects more and more devices, the potential for hacking, theft of sensitive information and other cyber-crimes extends to an ever-increasing numbers of devices. The reality is that cyber-crime pays, and the individuals and syndicates involved in such activities are in it for the money. One area where fraud is rife is the credit card payment process. From online payment gateways to connected payment terminals and even new mobile applications (apps) that allow for card-less payments, every endpoint and every part of the process needs to be secured to prevent theft of credit card information.
The Payment Card Industry (PCI) Data Security Standard (DSS) is a global standard that provides an actionable framework for developing a robust payment card data security process, including prevention, detection and appropriate reaction to security incidents. Adherence to PCI DSS not only helps to protect vulnerable customer data, it has also become a requirement from the Payment Association of South Africa (PASA) for the granting of licenses to process credit card transactions. As such, complying with PCI DSS has become an essential component of payment process security to both minimise risk and help businesses to remain profitable.
Cyber-crime is no new challenge for business, however, the connectedness and increasing complexity of systems makes security more difficult to manage. The consequences of such attacks are varied, and depend on the type of attack perpetrated – anything from denial of service that can shut down a business’ online operations, to phishing and other information fraud. The consequences of such attacks are difficult to quantify, as they may be further reaching than the immediate effects, however, they can all be detrimental to business. When it comes to payments, the credit card process is one that is frequently the subject of hacking and other cyber-crime events, as this information is highly valuable on the black market. Credit card fraud is a common challenge, and all stakeholders in the payment process need to work at securing this threat. This includes the payment card industry themselves as well as banks, merchants and vendors, and even the card-holding consumer.
For consumers, keeping credit card information safe is a matter of understanding the threat and safeguarding against it. For the other players in the chain, however, this is more complicated. The major payment card industry players, to ensure that the correct controls are put into place to protect systems, implemented the PCI DSS standard. This standard stipulates a number of criteria, including what information can be saved in any payment system and what cannot. For example, the PCI standard prohibits any part of the process from recording the security code, or CVV number, of any credit card. This code cannot be stored on any system post-authorisation.
Ultimately, PCI DSS represents a standard for the reasonable protection of credit card data. In this way, it ties in with the Protection of Personal Information (PoPI) Act, which takes this same stipulation further to all personal information. As credit card users, people expect that merchants will protect their credit card information, as the consequences of a data breach can be catastrophic. Adhering to PCI DSS gives customers some assurance that global standards are in place from a minimum control point of view.
Adhering to PCI DSS standards is the responsibility of merchants, banks, service providers and all other parties along the chain of the payment system. The requirements for compliance differ according to the role each party plays in the chain of payment, however, responsibility for safeguarding information falls to everyone in the chain, including the cardholders themselves. This process needs to be proactive, as once a breach has occurred, the damage has already been done.
Compliance with PCI DSS requires large merchants to demonstrate the processes they have in place to protect the card information, obtain a certification, and be audited on an annual basis to ensure continual compliance. Smaller merchants need to complete a self-assessment and submit a statement of compliance. This compliance is further driven by PASA, which will no longer issue a license for card transactions to any merchant that is not PCI certified. Certification needs to be proven annually in order to ensure that merchants continue to be licensed to process credit card transactions, at the risk of losing business and income.
Ultimately PCI DSS represents best practice security standards, precautions and controls for the payment card industry. Compliance requires merchants to understand what is in scope, including all systems that are processing credit card information, and then map this to PCI requirements including physical security, network and application security, web interface security and more. This complex process benefits from engagement with a professional PCI service provider, who will be able to map the requirements of PCI to a merchant and provide guidance as to how best to achieve certification.
By Simeon Tassev, Director of Galix