The ABC’s of Payment Security

Guest author: Tom Smith, Freedom Pay

Today, merchants need to secure their payment environments; however, navigating the complex payment security landscape requires a basic foundation of how the system works. That's why we will detail many of the most important terms you need to understand. You'll quickly gain a foundation for understanding payment security.

Securing payment transactions requires maintaining compliance with the payment card industry (PCI) security standards. These standards protect card information during and after the transaction. Vendors must establish and maintain a secure network. Within the network, cardholder data needs to be secure and protected against hackers trying to steal valuable credit card information.

Keeping the payment systems and applications secure requires regular anti-virus updating and maintenance. Merchants need to limit access and use control measures that restrict access to cardholder data. Unique IDs must be assigned to each person who can access cardholder data. The network needs consistent monitoring and testing to ensure the systems and processes remain secure. All access to the cardholder data and network resources needs to be tracked and monitored. Merchants must maintain an information security policy to keep cardholder data secure.

A point of sale solution called point-to-point (P2PE) encrypts data from the point-of-interaction (POI), for example, the card swipe, until the data reaches the secure decryption environment. This means even if somebody managed to "intercept" your information before its final destination, they would only get gibberish.

Point-of-Interaction (POI) payment devices should meet SRED (Secure Read and Exchange of Data) and PTS (PIN Transaction Security) standards. Ideal systems also offer a validated decryption environment that utilizes a PCI SSC (Payment Card Industry Security Standards Council) approved Hardware Security Module (HSM), as well as a secure distribution channel to ensure chain-of-custody is maintained. Finally, a P2PE Instruction Manual (PIM) that guides the merchant on POI device use, storage, return for repairs and regular PCI report is essential.

Another solution for securing cardholder data, in addition to end-to-end encryption, is called tokenization. This solution replaces the primary account numbers (PAN) with a surrogate value called a token. The reverse process to redeem a token is called de-tokenization. With this solution, it's not feasible to determine the original PAN knowing only the surrogate value. The tokens within the merchant applications and systems may not necessarily require the same level of security protection associated with the use of PANs. Because tokens are stored instead of PANs, the amount of cardholder data is reduced, ultimately reducing the merchant's Payment Card Industry (PCI) Data Security Standards (DSS) requirements.

A smart card, called EMV, stores the data on magnetic strips and integrated circuits. EMV represents EuroPay, MasterCard, and Visa. The user physically inserts the card into a reader. These payment cards are often referred to as "Chip and Signature" cards, or "Chip and PIN" depending on the authentication method used by the card issuer. Chip and Pin requires the PIN code at the end of the transaction. This EMV-enabled hardware communicates with the credit card's processor chip to determine authentication. Chip and Signature cards require a signature to validate the user's identity.

Another set of communication protocols that enable smartphones or other mobile devices to transmit data is called near-field communication (NFC). This allows two electronic devices to communicate within four cm of each other. These protocols enable payments via smartphones using solutions like Apple Pay and Samsung Pay.

To help a merchant determine what needs to be done to become PCI compliant, a merchant can take the Self-Assessment Questionnaire (SAQ) and submit it to the acquiring bank. This way, an expert can help identify any requirements that are missing.

Payment industry protocols change very quickly. Understanding some of the common payment security language helps merchants eliminate confusion and begin to demystify some of the new payment security criteria so they'll know what questions to ask to help their customers.

FreedomPay is an industry leader in payment solutions: experts who can help you build a solid foundation for understanding payment security. Visit FreedomPay online or contact us today to find out how we help merchants solve all their payment needs!