As more companies adopt new ways to streamline their businesses, cybercriminals are becoming savvier in how they illegally access sensitive information and compromise secure payment processes, leaving businesses to deal with the financial and reputational damage.
Secure payments are still a concern in the UK despite proactive measures such as Chip and PIN for payment security and legislative efforts such as the General Data Protection Regulation (GDPR). The global retail and hospitality industries, for example, lost £9.3m and £5m respectively to cybercrimes in 2017.
This article takes a look at trends in today’s payments security landscape, with insights and advice from industry experts on how to safeguard your payments infrastructure.
Businesses targeted by cybercriminals
Rob May is the managing director of Ramsac and a cybersecurity expert. He says: “I think the press misreports how targeted [businesses] are. I think the reality is that everybody is a target.
“Eighteen months ago, the FBI said there were two types of organisations: those that have suffered a cyberattack and those that will. And then more recently they’ve revised that statement to two types of organisations: those who have suffered a cyberattack and those that don’t know they have.
“The key thing is that is we now know that when a firm is breached, it could be months or years for cybercriminals to actually have their payday. They are infiltrating organisations and understanding how they operate and what their line of command is. It’s growing more sophisticated and the amount of spend on cybersecurity services is growing.”
The growing market for cybersecurity is an indicator of how UK businesses have prioritised data security. The estimated size of the security management segment in 2017 was £612m.
By sector, retail and wholesale businesses invested an average of £2,940 on cybersecurity in 2018, while food and hospitality businesses invested an average of £900. Globally, the cybersecurity market is expected to reach £231bn in 2020, a £100bn increase from 2017.
Big payment security threats
Email phishing and CEO crimes, or fraudulent emails from someone posing as authorised personnel like a company CEO soliciting money or information, are the biggest threat to UK businesses this year. “In the UK, there’s a successful whaling attempt every 15 minutes where money is transferred out of the corporate account,” Rob says.
A recent study shows that of the cybersecurity breaches in 2018, 75% were fraudulent emails or attempts to drive traffic to fraudulent sites, 24% were viruses, spyware or malware and 28% were impersonators either online or via email.
Judging by recent data compromises among big retail and travel brands in 2018, today’s points of vulnerability run the gamut:
- Dixons Carphone confirmed in July that the payment card information of 105,000 customers had been compromised because they didn’t have Chip and PIN protection on their cards. Investigations are still pending.
- Rail Europe confirmed in April that its online payment system had been breached over a three-month period. It took three months to identify the malware that may have compromised sensitive payment information and personal data.
The cost of payment security (or lack thereof)
The growing cybersecurity market indicates how important it is to businesses and how much of a risk it is to forego protection. In the UK, 17% of businesses say they have experienced a cybersecurity attack or breach once per month over the past 12 months. Cyber and security breaches are the third biggest threat to retail growth according to 32% of surveyed C-level execs.
Cybersecurity breaches cost medium businesses £8,180 per occurrence, while 67% have experienced a cybersecurity breach in 2018. Meanwhile, 79% of medium businesses have sought information, advice or guidance in the past 12 months on the cybersecurity threats faced by their organisation.
Three ways technology can provide secure payments
Payments structures for hospitality and retail are inherently complex because the systems that run and feed these businesses are varied, and channels that carry and store sensitive payment information are complicated. Because of this risk of exposure, proper payments security needs to extend beyond PCI compliance.
Your solution, Rob advises, should address those complex angles, ensure employees and customers understand the security measures and checkpoints in place, and employ the right security tools to add layers when human errors occur. At the basic level, there’s a combination of three technologies hospitality and retail businesses can use to protect payment data.
1. Point-to-point encryption
Encryption, or translating data into an indecipherable code as it’s transferred, is a popular solution for data that’s transferred electronically. In the UK, 37% of businesses encrypt personal data as a cybersecurity control.
Rob says: “The tech solutions continue to evolve. If you go back only a few years, the extent of protection was just a firewall and antivirus software. Now you have digital behaviour analysis, web filtering, email filtering and so on.”
For elevated payment security, payment solutions offer P2Pe (point-to-point encryption), the highest security standard established by the Payment Card Industry Security Standards Council. This protects card information as it is passed from the point of sale (where the card is swiped or the card number is entered) through the entire transaction.
The card data isn’t visible to the retailer or anyone else throughout the process. Once the encrypted codes are within the secure data zone of the payment processor, the codes are decrypted to the original card numbers and then passed to the issuing bank for authorisation. 37% of UK businesses encrypt personal data as a security control.
“Anything that we can do to mitigate human error is a logical approach,” Rob says.
“Criminals are always looking for ways to penetrate the weakest entry point. It’s incumbent on us to take advantage of whatever the latest technology is to secure ourselves. If a crook really wants to burgle your house, they will. But if your house appears to be more secure than the others in your neighbourhood, the crook will be more likely to burgle your neighbour’s house.”
In the hospitality world, many hotels have upgraded their over-the-phone reservation systems with P2PE readers or software so call center operators can type credit card numbers into secure devices and tokenise before finalising the reservation, or with phone software that tokenises card numbers as they’re read over the phone.
Retailers looking to take advantage of an omni-channel shopping experience (through online and mobile stores) should also consider P2Pe for that line of risk.
This is what makes one-click online shopping possible. This technology creates a token for new transactions, protecting sensitive data by replacing it with an algorithmically generated number. Even if your processing system is infiltrated, the data will be useless to the holder if the token isn’t deciphered. This system also allows your customers to register their card on your website.
This is ideal for retailers and hoteliers to set up recurring payments. The actual card number is only available within the network during the initial transaction. After that, the business uses a token that represents the original card for recurring payments or to track transaction history by customer.
Application programming interfaces (APIs) will become the dominant technology behind payments for the foreseeable future as a by-product of the Open Banking agenda.
Open Banking is the name given to a wide-reaching project requiring major high-street banks to create secure gateways to access bank account data. This means a new world of affordable financial products that businesses will have access to, all built on the most modern security measures as required by the second Payment Security Directive (PSD2).
Ironically, one of the initial and most seemingly overlooked areas that could use a security face-lift is the back-office processes that support a hotel’s or retailer’s financials and reconciliation.
Many tracking systems such as travel expense reporting systems, bank reconciliation systems, and corporate analytic systems communicate vast amounts of credit card data. API technology can streamline these processes, thus improving cash flow and freeing up staff resources to pour back into the business.
Securing payments from the inside out
“It doesn’t matter how much money you spend on tech, people will still be the weakest link in the chain,” Rob advises.
Creating, teaching and documenting security policies and best practices is a key factor to mitigating payment security risks, especially as more businesses move toward digitising business processes.
In the UK, 65% of medium businesses now have a formal policy that covers cybersecurity however only one in three businesses are actively training staff (despite this being a required element of GDPR).
“When I’m dealing with a client after they’ve had a breach, at some point I speak to the CEO who questions me about having experienced a breach after taking all of my advice,” Rob explains.
“I compare it to securing a building. If your organisation is a building and you’ve bought the very best security system with bars on the windows, locks on all the doors and cameras everywhere, you’ve done your best to secure the building.
“A security breach is a crook walking up to the front door, ringing the buzzer, and a helpful employee letting them in. Ongoing training on security best practices is as big a defence as any.”
Educate your customers
Rob points out customers need to be just as aware of cyber risks and measures they can take to help the fight against attackers.
He says: “The move toward a digital experience is a good one and an enabler for businesses. People want the convenience and the experience, but don’t cut corners [when implementing]. Educate your customers about your secure payment processes and the things you are doing to safeguard them.
“Most scammers are just people mimicking larger organisations. Explain what certain communications from your business will look like and the type of information they will provide so your customers will always know what to expect. That way they’ll know how to respond if something looks suspicious.”
Which secure payment measures do you employ for your business? Let us know in the comments section.