IS YOUR CUSTOMERS PAYMENT DATA REALLY THAT SAFE? A Chase Paymentech Paper



Similar documents
FRAUD PREVENTION IN M-COMMERCE: ARE YOU FUTURE PROOFED? A Chase Paymentech Paper

A CHASE PAYMENTECH WHITEPAPER. Building customer loyalty in a multi-channel world Creating an optimised approach for e-tailers

A chase paymentech Whitepaper. Are You Getting The Best From Your Payments Solution?

A CHASE PAYMENTECH WHITE PAPER. Expanding internationally: Strategies to combat online fraud

A CHASE PAYMENTECH WHITE PAPER. Uncovering Five Myths About M-Commerce

PCI Security Standards Council

TRANSAXpay Online Safer ecommerce & MOTO Payments FIS RETAIL PAYMENTS

White Paper: Are there Payment Threats Lurking in Your Hospital?

OXY GEN GROUP. pay. payment solutions

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

CyberSource Payments & Security ONE POINT OF CONTACT CAN HELP YOU HIT YOUR

PAYWARE MERCHANT MANAGED SERVICE

DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

MASTERCARD PAYMENT GATEWAY SERVICES

TOURISM INNOVATIVE PAYMENT SOLUTIONS. Efficient, flexible, worldwide and secure

E-Commerce SOLUTIONS. Generate Online Revenue with E-Commerce Solutions.

Omnichannel Payments

Verizon 2014 PCI Compliance Report

How Multi-Pay Tokens Can Reduce Security Risks and the PCI Compliance Burden for ecommerce Merchants

The PCI Security Standards Council. Bob Russo June 2011

How To Protect Visa Account Information

PCI Compliance: How to ensure customer cardholder data is handled with care

Drive your fraud rates down

Security Case Study. Experience from Europe s most mature market. Retailers choose Point for increased security

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

How To Stop A Cybercriminal From Stealing A Credit Card Data From A Business Network

How To Comply With The Pci Ds.S.A.S

Payment Security Account Data Compromise (ADC)

safe and sound processing online card payments securely

Reach more customers. Take quicker payments. Make it all easier With just one Click.

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

University of York Policy on the Management of Debit/ Credit Card Data

Is the PCI Data Security Standard Enough?

Cyber Security - What Would a Breach Really Mean for your Business?

How To Protect Your Credit Card Information From Being Stolen

PCI DSS Investing wisely...

PCI Compliance: Protection Against Data Breaches

Secure Payments Forum

a CyberSource solution Merchant Payment Solutions

We make cards and payments work for people as a part of everyday life. We bring information to life

Making Cloud-Based Mobile Payments a Reality with Digital Issuance, Tokenization, and HCE WHITE PAPER

Payment Security Solutions. Payment Tokenisation. Secure payment data storage and processing, while maintaining reliable, seamless transactions

Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

Frequently Asked Questions

Retail Business Technology Expo 2011

Ogone Payment Services

How To Secure Your Store Data With Fortinet

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) Merchant Business Solutions. Version 5.0 (April 2011)

Your Customers Want Secure Access

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

VESTA CORPORATION WHITEPAPER Payment Card Industry Data Security Standards (PCI DSS) and Mobile Operators: Trends and Implications

PCI Compliance for Healthcare

A Whitepaper by Vesta Corporation. Payment Card Industry Data Security Standards (PCI DSS) and Mobile Operators: Trends and Implications

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

MILLENNIALS EXPECTATIONS VS RETAILERS PRIORITIES BRIDGING THE OMNI-CHANNEL REALITY GAP TO DRIVE GROWTH A CHASE PAYMENTECH BLUEPRINT

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

ACQUIRER OR ACQUIRING BANK A financial institution (often a bank) where a merchant has an account to process transactions and card payments

Retail Industry Case Study

Finance Office. Card Handling Policy

Securing Your Customer Data Simple Steps, Tips, and Resources

PCI and EMV Compliance Checkup

Payment Card Industry Data Security Standards.

safe and sound Processing online card payments securely leading the way in secure payments A white paper from Barclaycard PMS??? PMS??? PMS??? PMS???

How To Protect Your Restaurant From A Data Security Breach

End to End Encryption, Tokenization & EMV in the U.S. Vendor Analysis of Emerging Technologies and Best Hybrid Solutions

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Time to get off the fence?

Credit Card Processing Overview

How To Protect Your Business From A Hacker Attack

PCI Data Security Standards

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

PCI Compliance Are you at Risk? September 17, 2014 Dan Garrett/Matt Fluegge Vantiv

Customer Card Data Security and You

Payment Card Industry Data Security Standard (PCI DSS)

Keep money moving. A guide to payment services from Sage Pay.

How To Become A Pca Compliant Organization

Online Payment Processing What You Need to Know. PayPal Business Guide

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

An article on PCI Compliance for the Not-For-Profit Sector

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

Elavon Payment Gateway Integration Guide- Remote

What You Need to Know About PCI SSC Guiding open standards for global payment card security

U.S. House Small Business Committee. On Behalf of the National Grocers Association. October 6, 2015

Data Security: Recent Events, Trends and Best Practices

AUSTRALIAN PAYMENTS FRAUD DETAILS AND DATA

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

PCI DSS Compliance Services January 2016

CardControl. Credit Card Processing 101. Overview. Contents

Presented by: Sam Campisi, Business Relationship Manager, OECM Bruce Averill, Account Executive Sales, Chase Paymentech Kevin Brock, National Sales

Healthcare Payment Security Is Your Patient s Card Data Exposed? May 24, 2016

Your Gateway to Online Success

A multi-layered approach to payment card security.

An Acquirer s view: Payment security best practice and PCI DSS compliance. PCI London 23 January 2014

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Merchant guide to PCI DSS

Realex Payments Integration Guide - Ecommerce Remote Integration. Version: v1.1

Network Security & Privacy Landscape

Transcription:

IS YOUR CUSTOMERS PAYMENT DATA REALLY THAT SAFE? A Chase Paymentech Paper

A data breach has the potential to cost retailers millions in lost customers and sales. In this paper we discuss a number of possible threats to your customers data as well as some simple measures that can be employed to help better secure your customers payment details. The introduction of Payment Card Industry Data Security Standards (PCI-DSS) ten years ago has made a significant contribution to protecting customers and e-commerce retailers alike from increasingly sophisticated criminals determined to steal personal information 1. E-commerce sites remain the primary target for data breaches, accounting for 48 per cent of incidents investigated annually 2. Why? Because payment information is the kind of data that criminals can most profitably sell and convert into cash 3. The rapid growth in e-commerce and m-commerce has created additional risks for retailers. In a bid to understand shopping behaviour and anticipate customers needs, it has become more important for retailers to analyse data. This can result in sensitive personal details about customers and their payment cards being stored and used in more places within an organisation and possibly also shared with partners in the supply chain. In this short white paper, we take a look at three business risks affecting e-commerce retailers in today s data-rich environment and consider some techniques that could help form an essential part of an effective data security strategy. 2 3

GROWING BUSINESS RISKS Millions 1. GROWING FINANCIAL RISK OF A DATA BREACH Worryingly, the number of companies suffering from data breaches has increased in recent years 4 despite record levels of PCI-DSS compliance 5. Even large, high profile retailers have fallen victim to malicious attacks, which have grown in complexity and sophistication in recent years. Such data breaches can result in the loss of millions of customer payment card details, passwords and other personal information. The average loss from a data breach for companies in Germany, the US and UK now stands at US$4.8 million ( 3.67 million), US$5.4 million and US$3.1 million ( 2.04 million) respectively 6. The proportion of the total cost resulting from a loss of business ranges from 36 per cent in Germany to 56 per cent in the US with the remaining costs spanning the need to investigate and respond to each data breach 7. Total average cost of UK data breaches: 8 2.5 2.0 1.5 1.0 0.5 0.0 2007 2008 2009 2010 2011 2012 2: DATA, DATA EVERYWHERE Successful multi-channel retailers rely on data analytics to generate customer insights, which can enable them to deliver a more personalised and relevant customer experience. However, the analysis of customer transactions and behaviour can make it both more costly and difficult to secure payment data as it moves around a retail business. Data held by a retailer within its own servers, business systems and applications (known as at rest ) is often at greater risk of being breached than data related to the payment system itself ( in transit ) 9. The growing number of applications using this data, whether at rest or in transit, can include customer relationship management, ERP, customer loyalty, data warehouse analysis, one-click purchasing and repeat or recurring payments. To be payment data compliant, all of this data, even if it is encrypted, must be included in annual audits wherever it resides. As more data moves within and outside a business (in particular data which may be shared with supply chain partners), the process of tracking and securing this data can become unsustainable. This can lead to greater effort, resources and time being spent every year in order to stay PCI- DSS compliant. 3: NEW TECHNOLOGY THREATS WITHIN THE BUSINESS According to the Verizon Data Breach Investigations Report, over the past three years 67 per cent of retail and hospitality breaches involve some form of malware and 76 per cent involve hacking 10. However, data breaches arising from human error, system glitches or business process failures can be just as common. For example, data being left unsecured on a lost laptop, or data being emailed to an employee s home email which is generally less secure than an individual s work environment. The latest version of the PCI-DSS guidelines, which came into effect on 1 January 2014, includes new provisions for the growing levels of mobile transactions, the increased use of cloud computing and virtualisation, employees using their own devices at work and the potential rise of malware on Linux platforms (the operating system frequently used by today s webservers) 11. These recent developments in retail technology and computing can make it more challenging to secure payment data or monitor and track the flow of data around a business. In some cases, a data breach is not noticed for weeks, months or even years at a time 12 and the longer it takes to discover a breach, the greater the likelihood of increased damage and cost to the firm and its customers. 4 5

HELP IS AT HAND The increased complexity of PCI- DSS compliance may lead many retailers to consider alternative ways to secure their payment data and reduce the annual burden of PCI-DSS compliance. Two methods in particular are recognised as valuable and effective ways to achieve this goal. TOKENISATION: PROTECTING YOUR STORED DATA This technology addresses cardholder data at rest by replacing the primary account number and other sensitive data with alternative identifiers (or tokens). Once completed properly, this means that valuable payment card information is rendered worthless to any fraudster. The use of tokenisation can enable many systems that handle customer data to be eliminated from the scope of PCI-DSS compliance, saving time, effort and scarce resources. However, the chosen tokenisation approach must be compatible with your existing payment applications, business systems and processes, enabling the data to be accessible and beneficial to your business. Card brands such as Visa, MasterCard and American Express are committed to tokenisation as a way of stemming the rising tide of costly data breaches while nearly half of e-tailers recently surveyed by Chase Paymentech 13 recognised that tokenisation is useful in PCI-DSS compliance. HOSTED PAYMENT PAGE: PROTECTING YOUR ACCEPTANCE DATA While tokenisation generally occurs after authorisation, it does not address issues of security and compliance at the initial acceptance stage. One effective solution at the initial acceptance process is the use of a hosted payment page that can take the form of either a separate webpage or an individual order form that is hosted on a secure site. Customers enter their confidential payment data directly into this secure environment and the transaction proceeds as usual. Because the payment data is neither received nor stored by the merchants, this solution can help address PCI-DSS compliance requirements. In our survey, 65 per cent of retailers recognised that hosted payment pages were useful to PCI-DSS compliance, yet only 39 per cent of them already use a third-party hosted payment page 14. WHICH SOLUTION IS RIGHT FOR MY BUSINESS? Since business environments and system architecture vary greatly, it is advisable to discuss with your acquirer which solution will work best for you to compliment your business model. Is your tokenisation process compatible with your data analysis? Ensure that the structure of your tokenisation system enables you to continue to track multiple uses of a particular customer or card as part of any big data initiatives. Is the architecture of the tokenisation system scalable? Your level of PCI compliance depends on the volume of transactions. As your company grows, this may impact on the architecture design of your solution. What information will the token contain? Some systems enable a complete customer profile to be included within the token so that the customer name, address, email address, AVS country code, amount, order description and order ID, as well as the cards expiration date and other payment information, are securely available for data analysis. Will tokens need to be single-use (one-time tokens) or multi-use? If you want to track the behaviour of individual customers, you may need to use the same token every time the card is used especially if you have extensive customer relationship management or loyalty programme applications. Will your chosen hosted payment page share a consistent brand with the rest of your e-commerce site? The latest hosted payment solutions use dynamic designs that are automatically updated to ensure a single and seamless customer experience. Can you customise or personalise your hosted payment page? Ensure that you are able to change the functions within the hosted payment page to reflect the rest of your site, such as first name or the card brands you offer. Does your payment provider enable you to automatically update expired cards? Such functionality enables customers to complete their checkout by updating current account numbers and expiry dates that have changed without having to contact your customer. TO LEARN MORE ABOUT HOW YOU CAN KEEP UP WITH YOUR MULTI-CHANNEL CUSTOMERS, PLEASE CONTACT: UK 0845 399 1120 or visit: www.chasepaymentech.co.uk 6 7

FOR FURTHER INFORMATION ABOUT PCI-DSS COMPLIANCE AND DATA SECURITY, VISIT: PCI Security Standards Council: Data Security Standard - Requirements and Security Assessment Procedures Version 3.0 (November 2013) Visa: Best Practices for Tokenization Version (July 2010) PCI Security Standards Council: Information Supplement - PCI DSS Tokenization Guidelines (August 2011) Mastercard Press Release: MasterCard, Visa and American Express Propose New Global Standard to Make Online and Mobile Shopping Simpler and Safer (October 1, 2013) EMVCo: EMV Payment Tokenisation Specification Technical Framework (March 2014) PCI Security Standards Council: Information Supplement: PCI DSS Cloud Computing Guidlines (February 2013) Chase Paymentech, the global payment processing and merchant acquiring business of JPMorgan Chase & Co. (NYSE: JPM), is a leading provider of payment, fraud and data security, capable of authorising transactions in more than 130 currencies. Chase Paymentech provides payment expertise that helps sustain and power longterm growth. We also offer advice on how to mitigate against the risk of data theft and minimise your PCI-DSS obligations with security solutions that will protect your customers account details. In 2013, Chase Paymentech processed 35.6 billion transactions with a value of $750.1 billion. References Chase Paymentech Europe Limited, trading as Chase Paymentech, is a subsidiary of JPMorgan Chase Bank, N.A. and is regulated by the Central Bank of Ireland. Registered Office: EastPoint Plaza, Second Floor, EastPoint Business Park, Dublin 3, Ireland. Registered in Ireland with the CRO under. No. 474128. Directors: Shane Fitzpatrick, Kevin Moran, Daniel Charron (US). The information herein or any document attached hereto does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of downloadable document shall make its own independent decision. This downloadable document and the information provided herein may not be copied, published, or used, in whole or in part, for any purpose other than expressly authorised by Chase Paymentech Europe Limited. 2014, Chase Paymentech Europe Limited. All rights reserved. 1 Verizon 2014 PCI Compliance Report 2 Trustwave: 2013 Global Security Report (2013) figure 3 3 Verizon 2014 PCI Compliance Report Page 6 4 Ponemon Institute: 2013 Cost of Data Breach Study: Global Analysis (May 2013) 5 Verizon 2014 PCI Compliance Report 6 Ponemon Institute: 2013 Cost of Data Breach Study: Global Analysis (May 2013) figure 3 7 Ponemon Institute: 2013 Cost of Data Breach Study: Global Analysis (May 2013) figures 15-18 8 Ponemon Institute: 2013 Cost of Data Breach Study: United Kingdom (May 2013) figure 2 9 Verizon: 2014 PCI Compliance Report page 21 10 Verizon: Research Report Threat Landscape Retail, Accommodation and Food Services (2013) 11 Verizon 2014 PCI Compliance Report Page 26 12 Verizon: 2013 Data Breach Investigations Report (2013) figure 5 66% of breaches took months or even years to discover 13 Dynamic Markets: CNP Payment Challenges in 2014 (March 2014) 14 Dynamic Markets: CNP Payment Challenges in 2014 (March 2014)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information