By Stephen Keenan, Managing Director of Large Enterprise at Verizon.
It's approaching that time of year again. Summer is over and the festive season is just around the corner. This period is crucial to many retail and hospitality businesses, and they are crossing their fingers that 2017 will be a bumper year.
Whatever this holiday season brings, one thing is for sure, a significant portion of consumer spending is likely to be done online. European ecommerce is forecasted to reach around €602 billion in 2017, and Western European countries continue to lead the way with the UK topping the list with approximately 33% of the European online sales. In the mature ecommerce markets, the proportion of consumers shopping online in 2016 was highest in the UK with 87%, closely followed by Denmark at 84% and Germany at 82%. 
Shopping on mobile devices is also rising in popularity, and purchases now often involve multiple devices. A consumer might research a purchase on their laptop, check availability on their smartphone, and pay using their smart device.
With the shift towards omnichannel retail experiences, it's important that businesses keep customer data, including payment card data, secure across devices and channels.
The evolution of card security
Credit and debit cards have been around since the 1950s and 1970s, respectively, and over the years various security measures ranging from holograms to sophisticated electronic features have been added. These measures have made it harder to use stolen cards and create counterfeit cards. But criminals haven't just given up. They've shifted their attention towards Card Not Present (CNP) attacks. These include transactions made over the phone or online—the latter being a particular target, driven by the rapid rise of ecommerce.
To address this growing form of crime, card brands are experimenting with a number of new card features. These include cards that have an electronic display, generating a new code every 30 seconds. So far, the only one to have made it to widespread use is 3D Secure—a form of two-factor authentication. When an online transaction is attempted, the cardholder is presented with an additional form asking for a password—if they haven't created one yet they must enter additional personal information, like date of birth, to create one.
As well as changing cards, issuers are looking at how fraud detection can be improved. This has the benefit of being invisible to the user, so it won't put them off making transactions. One promising method is using location data from the user's smartphone to verify that they are where the transaction is happening. If not, the transaction can be blocked or additional verification requested.
But adding security measures is just part of the answer. Retailers must make sure that they have robust security measures in place. Otherwise your customers' data may be left vulnerable—and a data breach could ruin anyone's Christmas.
Protecting data during and after the transaction
Retailers need to protect data during the transaction, after payment is made and when it's stored.
Our top recommendations for retailers are:
- Be vigilant for evidence device tampering. Conduct regular checks of all devices which capture payment data. This should include training employees to recognise signs of tampering. And make sure that devices are stored securely when not being used.
- Encrypt data using the latest, more secure, methods. Websites and apps should be built using secure coding techniques and use the latest version of TLS. For in-person payments, point-to-point encryption (P2PE) protects data from the point-of-sale (POS) until it reaches a secure decryption environment.
- Make sure all methods of processing customer's payment cards (including those from third parties), have robust identification and access policies. This includes changing all default passwords, using strong authentication and making sure that users don't share accounts. Data shouldn't be kept longer than it is absolutely required or shared with people unless they need it to do their job. All simple security hygiene, but it's amazing how many companies get these basic things wrong.
- Invest in employees. They can be a greatest asset or the biggest weakness. Provide them with training so they can identify threats and raise the alarm, and monitor and measure the effectiveness of security controls. This is crucial to building a sustainable control system, one that stays effective as the company and the threat landscape change.
Our research has found that cyberattacks target businesses of all sizes, and just one data breach could have a long-lasting impact on a company's reputation. PCI DSS compliance can help reduce the chances of cyberattacks within organisations, covering the above security measures, and many more.
Being compliant with PCI DSS doesn't guarantee protection, but it goes a long way. Of all the payment card data breaches that the Verizon Threat Research Advisory Center (VTRAC) team has investigated since 2010, not one organisation was 100% compliant when the breach occurred.
Keeping customer data safe isn't just about passing a test once. Security controls are being tested every day, and they need to be both robust and resilient. Customers put their trust in brands every time they make a purchase. Don't let them down.