Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
PCI DSS means any data would be encrypted and that makes it<br />
much more difficult for a criminal.”<br />
The problem is, not every retailer is compliant. When the PCI<br />
<strong>Security</strong> Standards Council was established by the five major<br />
credit card companies in 2006, its primary focus was on larger<br />
retailers. Since then it has made strenuous efforts to encourage<br />
smaller retailers to seek compliance with PCI standards too. They<br />
are at least as likely to be targeted by fraudsters, because they<br />
are likely to have spent less on security in general, in the store<br />
or online.<br />
Despite the efforts of the Council, the card companies and<br />
others, awareness of security issues can still be patchy among<br />
these merchants. “Many retailers still don’t appreciate how much<br />
card data is flowing in their networks,” says Chandra Patni, CEO<br />
and CTO at payment specialist YESpay International. “They may<br />
have card data stored in PoS databases in clear text.”<br />
As PCI compliance has become more difficult over the years,<br />
many retailers have outsourced parts of the card payments<br />
process to payment services providers (PSPs), like YESpay.<br />
One YESpay client, Ian Pulsford, head of IT at toy retailer The<br />
Entertainer probably spoke for many of his peers when he told<br />
the audience at a YESpay event in March 2012: “Basically we are<br />
using as many hosted services as we can. The idea is, ‘have nothing’<br />
... [get] everything off our network.”<br />
Using a PSP won’t be appropriate for every retailer, but one<br />
advantage it offers is access to the most advanced payment<br />
data processing solutions. In future that is more likely to include<br />
point to point encryption solutions, which encrypt all payment<br />
data between the PIN entry device (PED) at the till and the<br />
central processing facility.<br />
Retailers already using point to point encryption include SPAR,<br />
which uses the Ocius Sentinel system, provided by Commidea<br />
(now part of Verifone) on a managed service basis. The retailer<br />
started using the technology in late 2011, when Roy Ford, retail<br />
IT controller at SPAR, told Retail Systems that one of the most<br />
important reasons it had been chosen was because of the costeffectiveness<br />
of the managed service.<br />
Not many other retailers have yet followed suit, possibly in<br />
part for straightforward economic reasons, but also because<br />
many procure and renew PoS and payment systems on a cycle<br />
which lasts several years. “Migration won’t happen overnight,”<br />
says YESpay’s Chandra Patni. Nonetheless he claims point to<br />
point encryption is appearing on RFI and RFQ documents. He<br />
believes most larger retailers will be looking to outsource these<br />
functions to a managed service.<br />
Even if these trends continue to close security weaknesses in<br />
payment processes for retailers of all types and sizes over the<br />
next few years, there will still be security vulnerabilities in many<br />
retailers’ systems. “One place where you could try and attack is<br />
maybe not the system itself but the processing associated with<br />
it, like a refund or obtaining a receipt copy,” notes Munro. “All<br />
payments security supplement<br />
those systems should have data in a masked format. But refund<br />
processing, for example, is not the most well-defined process.”<br />
Retailers will continue to be susceptible to the security<br />
threats which afflict IT networks of all kinds, warns YESpay’s<br />
Patni: “The main problem is just making sure that card data is<br />
safe in the network and that there are good data practices in<br />
the network: that there are good logging in procedures and<br />
firewalls and so on.”<br />
New technologies or payment methods are bound to create<br />
further vulnerabilities. “For example, you can now pay using<br />
PayPal in certain stores,” adds Consult Hyperion’s Munro. “That’s<br />
user name and password-based, so is that as secure as a PIN?”<br />
The most obvious new potential source of trouble is payment<br />
made using mobile phones and devices, including use of mobile<br />
device-based contactless payments. “Mobile payments have introduced<br />
a whole new set of challenges for the Council and the<br />
whole payments industry,” confirms the PCI SSC’s Jeremy King.<br />
But a good mobile payment app for a smartphone can be<br />
fairly well secured, suggests Patni, if used with PED equipment<br />
which encrypts card data. Edward Chandler, CEO of the PSP CQR<br />
Payments Group, makes a similar point. “If I know that the device<br />
you’ve taken payment with hasn’t been lost, stolen or interefered<br />
with and the account you’ve got is in good shape then<br />
that’s a multi-factor and dynamic authentication,” he explains.<br />
King says the PCI SSC is working closely with the GSM Association<br />
to establish the most effective way of securing mobile<br />
devices. The Council has published guidance documents on<br />
securing mobile transactions. It is also considering how best to<br />
prevent security problems arising in relation to in-store kiosks.<br />
Finally, the Council is also actively trying to improve the<br />
standards of software installation and integration, because<br />
badly installed software is another source of security problems.<br />
In 2012 it launched a Qualified Integrators and Resellers (QIR)<br />
programme.<br />
Yet for all of these potential sources of problems there is still<br />
a general feeling that UK retailers have produced a creditable<br />
performance in the battle against fraud and crime in the store –<br />
in this, electronic respect, at least – in recent years.<br />
“UK merchants have done a really good job,” adds King. “I<br />
regularly attend a UK merchant working group, largely with<br />
tier ones and quite a few of the tier twos now too. With most<br />
of those companies now I’ll be talking to PCI representatives,<br />
not just IT representatives, so they’ve taken it very seriously.<br />
They’re now helping us to try and get the message down to the<br />
smaller merchants.”<br />
But, as Munro points out, “Regulation is always one step<br />
behind the technology”. “It’s a constantly evolving ecosystem:<br />
payment methods change, security increases in one place and<br />
someone will go and look for a hole in another place,” he observes.<br />
“But the industry is getting more mature in terms of the<br />
way it looks at making the whole payment mechanism secure.”<br />
RS<br />
February - March 2013 RS 29