Whenever you process a card payment, you and your customer are sharing sensitive, financial information, which needs to be protected.
With the increasing number of card transactions comes a growing number of opportunities for card fraud, so it is imperative that your customers' data is protected at every stage of their transaction.
As a business owner it is your responsibility to provide your customers with a secure payment experience. Failure to do so could not only result in a loss of custom, but you could also face hefty fines.
Let's get started with the fundamental information you need to know about payment security.
PCI-DSS is a worldwide set of industry tools and measurements set up to help businesses process card payments and store sensitive cardholder information securely to reduce card fraud.
If you take card payments, you have to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). This is a mandatory security requirement for all businesses that take card payments, whether that is in person, over the phone or online.
PCI DSS applies to anyone involved in storing, processing or transmitting any cardholder data. What’s more, the standard doesn’t just apply to storing data electronically; it also covers manual processing and storage. You will belong to one of four merchant levels:
Level One – Any merchant processing over 6 million Visa or MasterCard transactions per year. Or who has suffered an attack that resulted in an account data compromise. Or who have been identified as Level 1 Independent Qualified Security Assessor or Internal Audit signed by Company Officer.
Level Two – Any merchant processing one to six million Visa or MasterCard transactions per year.
Level Three – Any merchant processing 20,000 to one million Visa or MasterCard e-commerce transactions per year.
Level Four – Any merchant processing fewer than 20,000 Visa or MasterCard transactions per year. Or all other merchants processing up to one million Visa or MasterCard transactions a year.
To find out more about PCI-DSS compliance, including the requirements, take a look at our list of PCI-DSS Frequently Asked Questions.
Card fraudsters want card data, as quickly and as easy as possible so they can monetise it. They use malicious software to harvest data from point-of-sale (POS) applications.
Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. P2PE encrypts the data from the very first moment it enters your systems which means, if that is the only way card data enters your environment, you will never see sensitive cardholder data in the clear. This helps reduce your risk in the event of a breach, the associated costs (e.g. lost revenue, reputation, trust), plus your PCI scope.
Adopting P2PE is the most secure way merchants can process card transactions. The majority of card fraud involve malware that harvests the card data from the memory of the Point of Sale (POS) application. By encrypting the card data on the PIN Entry Device (PED) and only having the means to decrypt it at the service provider (such as PXP) it makes it impossible for POS memory scraping attacks to succeed.
Behind the scenes, each PIN entry device has a secure encryption key within it. We manage these keys from our secure datacentre and deploy them via remote key injection.
We operate P2PE as a managed service for our customers either as an application or as a full solution. Both have been tested by trained P2PE assessors accredited by the Payment Card Industry Security Standards Council (PCI SSC) against the standard. These options are:
For more information on these options, including the pros and cons of each, we have created this guide: Point to point encryption (P2PE): Application or Solution?
Tokenisation replaces sensitive cardholder information with a unique digital identifier called a token. The token allows payments to be processed without exposing actual account details that could potentially be compromised.
The creation of tokens does not significantly impact transaction processing time, meaning there’s virtually no impact on the speed of service at during busy shopping times. It can also be activated retrospectively on stored card details. This simplifies compliance with data security requirements, and also delivers operational, cost and marketing efficiencies.
Accepting card payment is a necessary part of running a retail business. But storing, processing and transmitting card data comes with risks. We have compiled a list of payment security awareness tips and tricks that should be common knowledge.