Tiny Tips To Enhance Your Transaction Security

Keeping your customer’s identity secure may seem like a nature to merchant , but are they doing everything possible to keep them safe? With hackers getting smarter and more technical every day, keeping customer information private becomes a frequent worry since lawsuits can arise in the event of a data breach.

Merchants are a primary target for criminals intent on stealing payment card information. Regardless of the possible future implementation of EMV, there remains an immediate need for increased security in the merchant community. There are viable solutions available today that enhance security and reduce fraud risk in our payment systems. These solutions can be implemented independently of EMV today, and should be utilized in combination with EMV when it becomes standard.

The key learning as it relates to the inherent vulnerabilities in each solution is that there is no magic bullet that solves for every aspect of data security. Layering the various components together is far more effective at thwarting fraud than using any single component individually. When enacted, EMV will solve for fraud at the card and cardholder level. Encryption protects card data in transit from the point-of-capture to authorization. Tokenization protects data-at-rest in post-authorization data stores and applications. And a variety of merchant-level tools and technologies protect against card-not-present fraud. All are needed to preserve the integrity of electronic payments and reduce the vast sums that are lost to payment fraud today.

Where EMV is primarily focuses on card fraud at the consumer level or in the consumer-merchant exchange, the dual technology solution of encryption + tokenization taken together solves for many of the other data security problems specific to the merchant community.

Start with encryption…..

Anytime that live cardholder data is in the clear, it is extremely vulnerable to theft. Of course, cyber thieves know this and they look for ways to grab a copy of that data for nefarious use. For example, it’s possible for a thief to siphon off the card data as it is transmitted in plain text from a card reader to the POS server or the merchant’s central server.

The first leg of the data security solution, encryption, protects card data from the point-of-capture and maintains this protective state throughout the transaction. Encryption is the process of using algorithmic schemes to transform plain text information (i.e., the PAN) into a non-readable form called ciphertext. A key (or algorithm) is required to decrypt (or unencrypt) the information and return it to its original plain text format.

The point-of-capture can be the swipe of a magstripe card; the insertion, tap or wave of a chip-enabled card or other payment instrument; or the manual entry of data into a terminal (such as when a sales clerk types the account number) or into a web-based form (such as for E-commerce). Once encrypted, any data that may be intercepted within the merchant’s POS system or during transmission to the acquirer/processor cannot be used without the master key, which itself is safely stored in the processor’s vault.

Encryption of either the data itself or the transmission path the data takes along the network, or both, can vastly reduce the vulnerability of the data, which in turn reduces a merchant’s business risks.

And...then Tokenization

The second component of the solution, tokenization, returns a “token” to the merchant in lieu of the live credit card number in the authorization response. Tokenization is the process of replacing sensitive data with surrogate values that remove risk but preserve value to the business. To tokenize a payment transaction, the PAN is sent to a centralized and highly secure server called a “vault” where it is stored securely in a PCI-compliant environment. Immediately after authorization from the card issuer, a random, unique, token number is generated and returned to the merchant’s systems for use in place of the PAN. A secure cross-reference table is established to allow authorized look-up of the original PAN, using the token as the index. Without authorization to access the vault and look up the PAN, the token value is meaningless; it’s just a random number. If the token is stolen or otherwise accessed by an unauthorized user, it alone cannot be used to perform a monetary transaction.

The token can be used just like the original card number for business functions such as returns, sales reports, marketing analysis, recurring payments, and so on, but cannot be used to conduct a fraudulent transaction outside the merchant
environment. The aim of tokenization is to remove the card information from the merchant environment as completely and quickly as possible (thus addressing the root cause of data security issues) while maintaining existing business processes.

Fitting Encryption + Tokenization with EMV

The primary strength of EMV is its ability to perform authentication of the cardholder, which happens to be the primary point of fraud vulnerability in an end-to-end encryption + tokenization solution. At the point of sale, cardholder verification and issuer authentication begin at the issuer, through card personalization-even before the consumer presents the card to a merchant POS. This expands the scope of end-to-end security to include the card itself.

The security capabilities of an encryption + tokenization solution are complementary to those delivered by EMV and are relevant to merchants regardless of a potential future EMV adoption. The need for additional protection is echoed by the PCI Security Standards Council, which states: “native EMV transaction data requires protection beyond what is inherently provided by EMV itself.”

With an integrated encryption + tokenization solution, a software-based implementation of encryption can be installed on the majority of PCI- compliant terminals or point-of-sale systems to protect card data in transit. The payment card information can be encrypted at the point-of-capture for secure transmission without the need for replacing existing hardware. For merchants concerned with making a capital investment that might be rendered obsolete if EMV becomes required in the U.S., software-based encryption offers the ability to protect one of the weakest points in their environment today without fear of the changes tomorrow might bring. If EMV does become standard in the U.S., merchants will be able to continue to use the encryption on the EMV-compatible terminals that they deploy, and tokenized data-at-rest will continue to secure data warehouses and storage devices.

The value of tokenizing payment data-at-rest in the merchant, acquirer, network and issuer environments cannot be overstated, and is relevant regardless of the existence of EMV-based security controls. A card-based tokenization solution offers merchants the ability to purge their entire environment of payment card information while still supporting existing business processes such as returns, recurring billing, and customer analytics. The merchant loses nothing except the risk associated with keeping the card data that had previously powered those processes.

Tools for Detecting and Preventing Fraudulent Transactions

Along with bringing in EMV at the POS and securing card data with encryption + tokenization, merchants need to address the issue of card-not-present fraud strategically, with additional security layers such as fraud protection solutions and increased verification methods. With the right tools and technologies, merchants can apply these strategies to safely conduct business online without simply accepting fraud as a “cost of doing business.”

Merchants of all sizes are susceptible to online fraud. Fortunately, powerful tools and technologies for fraud management are now available and affordable for all. Address Verification Service (AVS) and Card Verification Value 2 (CVV2) are two simple and common ways to verify the legitimacy of cardholders and cards in CNP situations. MasterCard Secure Code and Verified By Visa are other fraud prevention tools that are available, as well as sophisticated fraud management solutions that allow merchants to implement multiple functions within their business to help reduce CNP fraud, including:

• Automated transactional risk scoring, which involves calculating the potential fraud risk of a transaction based on multiple data factors. The calculated score serves as a relative risk indicator and determines “next steps” for that transaction according to a merchant’s preferred operating procedures.

• Real-time categorizing and resolution places transactions with risk scores exceeding certain thresholds into different categories for further action. Solutions that operate in-line with the payment authorization flow require minimal intervention by the merchant and streamline business processes.

• Post-purchase transaction management solutions allow merchants to review and analyze the transactions that fall between the “accept” and “reject” thresholds. This helps the merchant to resolve chargebacks and disputes efficiently as well as understand transaction trending over an extended period of time.

• Adjustments to fraud rules and parameters are useful because fraud trends evolve rapidly and detection tools need an equally quick response to remain effective. The anti-fraud tools should be referenced against reports and analytics on a regular basis, and merchant staff should be trained to react to immediate critical occurrences, such as a sudden attack from a fraud ring in a particular geographical location. These may require significant but temporary changes to the existing fraud settings.

By integrating these fraud management tools into checkout processes, any sized Ecommerce business can become more empowered to fight fraud—and fraud management thereby becomes an intuitive, practical, controllable business process.

Key considerations when selecting a solution provider

The technologies and processes for secure transactions discussed above require a partnership with one or more solutions providers. Here are some key considerations when selecting a solution provider.

1.Uptime/reliability of the service – Merchants shouldn’t risk their business with a service that isn’t available when they need it. Even a few minutes of service downtime make it impossible for merchants to transact sales. A reputable solution provider should guarantee up time with a Service Level Agreement contract and back up the agreement with proof of redundant systems. That is, if any part of the solution fails for any reason, there is an immediate (and unnoticeable to the merchants) cut over to a secondary computer component, system or facility. This ensures no disruption to the merchants’ businesses.

2. National Institute of Standards and Technology (NIST)-certified forms of encryption – It is critical to use an algorithm that has been certified through industry testing and validation. Vetting of encryption algorithms is a process that normally takes years, and the skills required are generally found only in academic or governmental settings. Note that many public or proprietary encryption algorithms have not been through the necessary crypto-analysis scrutiny from industry experts, and the resulting encryption will be only as effective as the encryption algorithm.

3. Token creation through strong random number generation – Predicting tokens produced from strong random number generators is nearly impossible. These secure, non-reproducible sources of true random numbers are designed to generate a sequence of numbers that lack any pattern, virtually ensuring that each token is sufficiently spontaneous and not projectable by fraudsters.

4. Technical specifications of the solution – Any solution for encryption and/or tokenization is going to be sophisticated. However, some technologies are far superior to others. For example, there are numerous types of encryption. Some require only one key to encrypt and decrypt the data, while others require two keys, one to encrypt and one to decrypt. Some keys are dynamic (constantly changing) while others are static. Any encrypted data that is stolen is better protected if the keys are dynamic or if separate keys are required to unlock it. In selecting a solution provider for security services, it’s important to get the details about the technical specifications and compare them to other solutions on the market.

5. Seamless integration with existing POS system – Merchants already have a significant investment in their POS systems. “Rip and replace” is not an attractive option. Therefore, any new data security measures will need to integrate with what is already in place. Still, there are differing definitions of “integration.” When selecting a solution provider, merchants should feel comfortable that the vendor can orchestrate a seamless integration between the POS and the security systems, with no disruption to business.

6. Pricing model – Merchants already spend a lot of money on data security. It’s an unavoidable expense to reduce business risk. Additional security measures such as encryption and tokenization aren’t free; however, they can offset other costs such as the dollars spent on lengthy PCI DSS assessments and remediation efforts, or worse yet, a breach. A security solution provider’s pricing model should be compatible with a merchant’s business; for example, a minimal upfront outlay to implement the new solution, with reasonable per-use service fees over time.

7. Track record – There is a reason many merchants are hesitant to outsource security: it’s hard to let go of something that can make or break a business. That’s why a service provider’s track record of avoiding system failures, data breaches and other lapses in delivery of the contracted service is a critical selection criterion.

8. Level of risk/responsibility assumed by the solution provider – Hand in hand with the service provider’s track record is the company’s willingness to assume certain business risks and responsibilities if a failure should occur. If the service provider truly is at fault for an incident, the merchant should not be held accountable for the results of the breach; for example, fraud due to stolen cardholder data. The above criteria may actually be a “wish list,” but the issues are certainly worth bringing up for discussion with any potential solution provider.

Closing moments :

Data encryption and data tokenization are two emerging technologies that show great promise in the race to secure transaction processing systems and applications. Many Level 1 merchants are already enjoying the benefits of encrypting their cardholder data, and a few merchants have initiated data tokenization projects. Used as a one-two punch complement to each other, these two technologies can be especially effective at lowering the cost of PCI DSS compliance and validation by reducing the scope of the cardholder data environment.

Merchants aren’t expected to do this alone. The end-to-end card payment process includes many players— acquirers, ISOs, payment processors, card networks, etc. Merchants can look to these players to assist with cardholder data security, and in the process, help reduce the burden of PCI DSS compliance. I hope , above inputs are use full for the people who enhancing transaction security.

Written by Alexander .J