ETA Expert Insights: Safeguarding Every Cent — How the Payments Industry Protects Your Money

By Douglas Buan, Chief Information Security Officer, Wind River Payments • Jim Bibles, SVP Risk and Compliance, Aperia
ETA Industry Affairs PCI/Cybersecurity Committee

The payments industry has been a target for thieves since inception. For this reason, security has been built into payments at all levels and with all participants. We’ll first discuss industry compliance in terms of any industry participants that store, process, or transmit payments data. We’ll then turn to elements of product and solution security. Lastly, we’ll discuss regulation and consumer protection.

The payments industry recognized that it could only succeed in protecting the payments infrastructure through a collaborative effort, so it created the Payment Card Industry Security Standards Council (PCI SSC). This organization brings all stakeholders within the payments ecosystem to create a secure environment for the transmitting, processing, and storing of cardholder data.

While there are many moving parts to this puzzle it can be broken down into the following activities:

Payment Software and Hardware Certification
Payment software providers and device manufacturers must comply with strict standards, ensuring all software payment and devices like point-of-sale terminals and ATMs are secure and resistant to fraud. These devices are certified by the PCI SSC to meet strict security standards, ensuring encrypted data transmission and protection against tampering. Regular updates and patches keep devices secure as threats evolve.

Merchant Compliance with a Robust Security Standard
All merchants that accept credit cards must be compliant with PCI Data Security Standard (PCI DSS) requirements. These requirements include only using secure hardware and software for the processing and transmitting of cardholder data, ensuring that data at rest is encrypted, controlling access to sensitive information, regularly testing their networks and websites to ensure they are not vulnerable to malicious attacks, and having a program in place to respond should the incur a service disruption or data security event.

Service Provider and Processor Validation and Registration
To ensure there are no gaps in the security of the payment’s ecosystem payment processors and service providers are required to validate their compliance with the PCI DSS and register with the card brands for the services they provide. Merchants are responsible for understanding how these services impact their compliance and ensuring these providers remain PCI-compliant.

Collaborative Enforcement
Card brands, acquiring banks, and payment processors enforce PCI DSS compliance, with penalties for non-compliance. The PCI SSC provides ongoing training and resources, ensuring that all participants in the payment’s ecosystem understand and implement the necessary security practices.

As we turn to product security, it’s clear that protecting payments data is a priority. Point-to-point encryption (P2PE) is a highly effective security solution that encrypts and devalues payment data from the very point of entry to an upstream entity that has the decryption key to process the data. This means that even if a merchant experiences a data compromise, the payment data is still safe because the attackers cannot unlock the data.

A solution like tokenization is used to replace the storage of payment data with a reference token while still allowing convenient features like recurring transactions. It negates the risk for merchants of storing payment data as tokens are useless to attackers.

Aside from merchant storage, solutions like digital wallets (ApplePay, GooglePay, SamsungPay) also use tokenization at the point of sale for card present or online transactions without the need for the real card number to enter the payment process because the card number is replaced with a token to be the payment instrument even for initial transactions.

Even with sophisticated primary account number replacing solutions like this, card issuers and merchant acquirers use fraud detection systems designed to identify and stop fraud in real-time. As we discuss artificial intelligence and machine learning with these solutions, it’s possible to identify fraud more quickly and recognize anomalous patterns before neural networks and humans do so. Although we’re early on in use of these technologies, we expect them to only get better at helping us mitigate fraud.

Lastly, and as probably the backstop to protect consumers, we discuss regulation and consumer protection. Federal regulation protects consumers from fraud when using various payment types including payment cards. The process behind this in the payment card industry is the chargeback and dispute process. It allows consumers to dispute transactions for various reasons including the product not being as expected or faulty, product never received, services that are not rendered, fraud, or other various reasons. It’s a formalized and fairly complex process that mediates the interaction between the consumer and the merchant when there is disagreement.

The items we’ve discussed today are to point out that fraud mitigation exists at every level within the payments industry. It permeates the payment system from payment product manufacturing and solutions design through overarching industry compliance and regulatory protections. In knowing this, consumers and business should feel comfortable participating the payments system.