A locally-famous Thai restaurant in San Diego County posted a message to customers requesting that they pay with a
Looking back over the past 25 years, the act of making payments has evolved from primarily using cash (or writing checks) to exchanging money electronically in many different ways. Even credit card payments have gone from a manual entry of the card details for each transaction, to one-click purchasing, and now to automatic payments. Think about the last time you completed a ride with Uber or Lyft – you just said goodbye and got out of the car – the credit card payment was done for you and the process was actually faster than using cash.
It is a fact that payment methods are evolving. With the increase in data breach reports often heard in the news, does the fear of brand damage due to a data breach incident concern business owners?
Data security is definitely ‘top of mind’ when you ask business leaders who are directly or indirectly associated with the payments industry. Even the Thai restaurant owner mentioned above suggested that she would rather handle the risk of a data breach, than have a physical altercation over petty cash. Other businesses who process payments also face risks of a different nature, and at a larger scale than a single restaurant.
No matter the size of a business, there are major trends in digital payments happening today, where data security is critical to the survival of the business.
In the U.S., the number of payment cards available for use (often referred to as ‘cards in force’) topped 694 million cards in Q1 2019, distributed between the Major 4: Visa, MasterCard, American Express, and Discover. This volume represents 5.2% year over year growth, which means by the end of 2019, there will probably be over 700 million cards in force.
Along with the increase in payment cards available, companies are collecting more data on their cardholders. This data
The growth of e-commerce has made card-not-present (CNP) fraud more attractive to offenders, especially after the adoption of smart-chip enabled cards that are required for most in-person transactions. Sales from online websites have seen substantial, steady growth over store-front retailers.
A study released in 2018 by Javelin Strategy & Research said card-not-present fraud is now 81% more likely to occur than in-store fraud. Once a bad actor has stolen payment card details, they often succeed in completing high value transactions for retail goods sold online.
For both the merchant and the end consumer, online transactions come with a level of risk. For the merchant, it’s very difficult to know if the actual cardholder is completing the transaction. For the end consumer, they can only hope the merchant hosting the website prevents unauthorized access to their valuable payment card details.
If payments are easier to make, consumers are more likely to make them. "Frictionless payments and banking mean faster growth for businesses and better experiences for consumers,” says Kalle Radage, Chief Product Officer at Payfirma. Payment innovations make it effortless for consumers to increase spending while also allowing for security, accessibility, convenience, and efficiency.
For example, making payments through a mobile app isn’t new. However, acceptance around the world is growing – very quickly. Visa sales through mobile devices have grown 53% faster than sales made on a desktop PC. The mobile device opens up more possibilities for e-commerce and payments to interface with banking, loyalty programs, and other services. Unfortunately, it also opens up another option for bad actors.
Access to data from other channels allows companies to offer unique or personalized customer experiences, while differentiating themselves from competitors. However, accessing and consuming data comes with the responsibility of strengthening data security and privacy.
Payment innovations are enabling seamless transactions across international borders. PayPal was one of the first companies that made it possible for e-commerce to cater to new customers by facilitating global transactions. Today, many other payment providers like Transferwise, Transfergo, and even Western Union have entered the digital money-transfer game.
In the US alone, more than 8 billion transactions were made in domestic and cross-border person-to-person (P2P) payments in 2018 (Source: American Banker)
The Payment Card Industry Standards Security Council (PCI SSC) has one of the most mature data security standards (DSS) in existence surrounding payment card details. In essence, PCI DSS says companies need to activate data protection when the payment card details are transmitted and when they are stored, and also lists requirements for the policies, procedures, and infrastructure for the surrounding environments.
When it comes to data collected beyond payment card details, specifically for data containing personally identifying information (PII) from consumers, there are other regulations and laws companies need to adhere to.
GDPR flipped the data security model around so that the protection focus is on the consumer and as a result, fundamentally changed the way businesses collect and store data. At its core, GDPR says data identifying consumers (PII), needs to be anonymized.
Additionally, the California Consumer Protections Act (CCPA), which takes legal precedence starting January 2020, stipulates that consumers need to be notified when a company or organization plans to sell or monetize the data containing their PII.
New @USATODAY: If strong, the “CCPA could end up being a model for other states and eventually the federal government.”
— Californians for Consumer Privacy (@caprivacyorg) July 30, 2019
Come January, #CA law will hold FB, Amazon and Google accountable for how they are using our personal data – we’re committed to the continued fight. https://t.co/PL8Hm7VWOy
Today, companies who process payments are also most likely collecting personal data from their consumers, and need to plan beyond protecting just payment card details.
Retailers and merchants are especially vulnerable to data theft or exposure because they are typically the first point of contact for the consumer data. These first points of contact include point of sale (PoS) devices, websites, or mobile applications that all have to manage ingesting data, consuming it, and finally securing it.
Payment Services Providers (PSPs) play a vital role in moving transactions from one place to another and are highly susceptible to data theft or compromise. PSPs handle payment card details for many reasons, from settlements, reconciliations, disputes and cross-selling goods and services, to offering conveniences for future purposes, including data analytics.
Other companies who touch any part of a payment transaction may be vulnerable to data exposure as well, especially if they manage similar payment card details or consumer information in their possession.
"Each innovation in payments brings its own data protection and privacy concerns." - J. Deveaux
Based on examples from past data breach incidents, hackers and data thieves exploit gaps in data security to easily gain access to payment card details and PII, regardless of where the data is stored or how well a private or public network is defended.
One way to reduce the possibility of payment card details and consumer info from getting into the wrong hands is NOT to process or store the data! Just like the Thai restaurant mentioned at the beginning of this blog post, the owner chose NOT to accept cash payments, therefore reducing the likelihood of monetary loss due to a robbery.
However, NOT processing or storing payment card details and consumer info means that many businesses would have to change their business model, outsource to another company, or go out of business.
In most companies around the world, data is the top asset for their business, second only to their employees. Since data is imperative to keeping businesses running and feeding the services they build in order to compete, the best course of action is to use the data on hand and collect even more data, while taking the critical steps to ensure all of it is protected and kept private.
Nothing creates greater friction between a company and its consumers than a data breach. Having to send the ‘letter of data breach notification’ to all customers affected and managing a data breach incident is expensive, time consuming ,and a major distraction from innovation. It is also highly injurious to your brand and a major destroyer of carefully earned customer trust.
Data security, when implemented with effective data protection methods, actually enables organizations to access and extract more value from their data stores. Departments need to exchange data to function, but this process can be held up by the risk of exposing private identity information. With data-centric security, this is no longer an issue because properly secured data can be analyzed, researched, and used to run test scenarios and answer customer queries all while the data is still in a protected state.
The ‘data-centric’ approach to data security may be the much needed shift many business leaders should consider for protecting and privatizing payment card details and consumer data. The data-centric approach focuses primarily on:
The main advantage with the data-centric approach is that data is secure throughout an enterprise, no matter whether it is in motion or at rest. If a business critical workflow or a customer-facing department needs the original data, a request is made for access to the original data. The request is also audited, which complies with regulations and laws requiring documented access to critical data.
With the right approach, data security reduces risk to private data, which benefits you and your customers. Check out this white paper to learn how data-centric security can simultaneously fulfill the requirements of multiple data protection standards and regulations.