Three strategies to protect cardholder data against fraud

By Tim Millins, SVP, MB Bank@Work, Amy Tippins, Director, Partner Management, Elavon

What merchants can do to protect cardholders and keep credit and debit transactions safe from fraud.

With every advance in card security, fraudsters have responded with more sophisticated and intrusive means of attacking merchant point-of-sale (POS) devices, back-office systems and network data centers. The financial impact of payment fraud for merchants — particularly those in the hospitality, retail and financial service sectors — is estimated to have reached $37 billion. Additionally, merchants often suffer reputation damage as a result of fraud. According to an Elavon White Paper, 43 percent of consumers would avoid shopping at a merchant that has been breached and another 31 ercent would spend less at the merchant’s stores.

The transition to EMV (Europay/MasterCard/Visa) fraud-reducing technology — commonly known as computer-chip technology — is a major step toward reducing credit fraud in card-present (in-person) transactions. But there are still areas of concern — specifically, the increase in fraudulent card-not-present (online) purchases and the expected invention of advanced tools capable of bypassing EMV security. What, then, can you do to keep your business’s card transactions more secure?

1. Educate yourself and your staff to identify suspicious customer behavior.

For website, mail or phone purchases, there are other fraud concerns that require special watchfulness. For card-not-present transactions, you and your staff should be particularly mindful of those who request delivery to a freight forwarder, order goods and/or services via a free email server, or demand that an order be rushed with an immediate tracking number.

You and your staff should also be alert if the customer requests delivery to a post office box or a foreign country, uses more than one card (“split ticket”) for the purchase, uses a card that has sequential numbers or patterns, places an uncommonly large or unique order compared to your usual transactions, or places an order and then calls back quickly to place additional orders with the same or different cards.

2. Explore adding the right encryption solution for your business.

Consider implementing security solutions that protect cardholder data at every step in the transaction life cycle – in use, in transit, and at rest. While EMV terminal processing offers more layers of security than magnetic card readers in terms of security, it can lull merchants into a false sense of security.

There are two particularly strong solutions available to help protect card data via encryption:

  • Point-to-point encryption (P2PE) protects customer card data presented to a business until it is received by the payment processor. Terminals containing a tamper resistant security module (TRSM) encrypt data by applying an algorithm and a secret key code, thus eliminating usable information before it enters the POS or network.
  • Tokenization, another encryption method, converts or replaces cardholder data with a unique ID (“token”) that consists of a random string of characters. This means customer card data no longer exists in your environment, thereby making it much harder to steal. And because the token represents cardholder data, your business can still use it to add or edit charges.

When exploring these options, you will want to look for a solutions provider that offers secure multi-point connectivity. Make sure your provider hosts and maintains the decryption service and token vault so that third parties are not involved, since they might introduce more points of vulnerability. Lastly, ensure that your provider is experienced with networks that run on stable and redundant systems monitored by a top-rate IT team.

3. Keep up-to-date on EMV and PCI compliance standards.

As outlined in a previous article, EMV has many fraud reduction benefits. Yet according to the research firm Ponemon Institute, nearly two-thirds of companies with 500 or fewer employees were not ready for the transition to EMV cards when the new rules went into effect last October.

So how do you comply if you haven’t already? First, engage your current merchant processor to find out if their firm is EMV-compliant. If so, inquire whether your current POS terminals are EMV-enabled and whether your current POS software is EMV compliant. You may also wish to compare EMV-enabled POS terminals, plans, and fee structures from at least three sources.

In addition to keeping abreast of EMV technology, it is imperative to continually comply with the PCI data security standard (DSS) — a set of constantly evolving requirements intended to help merchants that accept electronic payments proactively safeguard customer data. Maintaining PCI DSS compliance — keeping your network secure, implementing internal controls, and performing regular testing — can be time-consuming and complex. But the investment of time and resources is necessary if you are serious about protecting your customers’ card data and reducing your business’ fraud liability.

In summary, there are many useful ways to improve cardholder security — through meticulous staff training and education, utilizing P2PE and tokenization to protect data, and keeping abreast of evolving EMV and PCI DSS standards. Using these strategies will help you gain the peace of mind of knowing that you are doing everything in your power to successfully combat evolving security fraud.