Breach epidemic requires next-gen vetting of payment vendors

Enjoy complimentary access to top ideas and insights — selected by our editors.

There’s a lot of news lately about the “hidden” risks of third-party data breaches in retail, banking and finance, and even tech companies such as Google.

Third-party security problems are now a factor in more than 60% of all data breaches, according to a recent study. Many companies aren’t concerned or don’t realize the risk until it happens to them, although the list of merchants hit with payment-data breaches grows all the time. A third-party payments solution needs to protect your customers’ payment data, reduce the scope of your liability in case of a breach, and help you develop a more proactive security mindset.

A surprising number of card-data breaches still arise from compromised point of sale systems, even after the U.S. EMV liability shift. For merchants still awaiting full activation of their POS EMV security features, such as the ability to require PIN entry rather than a signature, the liability issue remains.

Andrew Harrer/Bloomberg

Merchants who take mobile payments via smartphone need EMV-compliant card readers, too, because they’re often micro-businesses that can’t survive revenue loss and fines because of card fraud. A good PSP will take the time to explain the security features of the terminals and card readers they support and recommend, and they’ll let you know how they manage software patches and updates, too.

Your payment service provider should go beyond the basics of system security and EMV compliance to shield your transaction data from thieves. The industry standards in this area are data tokenization and point-to-point encryption (P2PE ) for all a merchant’s non-cash transactions, regardless of channel. Tokenization replaces cleartext information with tokens to hide payment information as it moves through the transaction process. Point-to-point encryption turns card data into cyphertext at the terminal so that only key holders can access the data. When tokenization and encryption work together, they provide a strong defense against transaction-data theft.

With so much attention focused on securing digital data movement, it’s easy to overlook the role of physical security in avoiding breaches. The fact is, thieves can and do steal unguarded servers and computers to capture and sell the data they contain. A 2015 SANS Technology Institute report stated, “Physical security breaches can result in more issues for an organization than a worm attack.” That’s because not only is the data compromised, but also because system operations may be halted or slowed when equipment goes missing.

The report recommends three server-room countermeasures for general physical security: user-specific access cards, biometric access tools, and human training and awareness. SANS notes that military and government data centers may have armed guards, but some payment processors take this additional server-room security step, too, and may run video surveillance. Ask each payment service provider you’re considering (and other third-party vendors, too) about their data-center security practices.

The ideal PSP combines reliable service and reasonable rates with a major reduction in the scope of your Payment Card Industry Data Security Standard compliance requirements. Many owners of small and new businesses aren’t clear on what PCI-DSS is or how to comply. In short, all merchants who process card payments must follow a particular set of data protection practices, based on the size of the business and its transaction volume. Merchants who don’t comply may be liable for tens of thousands of dollars in lost revenue and fines in the event of a card-data breach.

To come into compliance and reduce their financial liability, merchants can complete a self-assessment offered by PCI and follow the compliance steps themselves; hire a PCI-approved qualified security assessor to handle the assessment and sign off on compliance; or work with a payment processor that is fully PCI-DSS compliant.

The last option shifts much of the compliance burden and liability from your company to the PSP. If the PSP is also qualified to help merchants assess and validate their reduced PCI-DSS compliance scope, that takes even more of the burden off your company.

The best payment service providers will help reduce your PCI compliance burden while offering the latest data-protection services, recommending the most secure hardware for your physical points of sale, and providing your business with a secure payment gateway. They’ll also go above and beyond to physically safeguard your data that’s on their servers, and they’ll be happy to talk with you about your security questions and concerns because compliance and security are central to their business.

A good relationship with your PSP can also help you develop a proactive security mindset when you’re selecting other third-party vendors and reviewing your internal security practices, too. That benefit goes beyond payments to company-wide security at no extra charge.