Thursday, 18 December 2014

Safer Payments online, in-store and especially during the peak retail periods

Online shopping and retail in-store purchases dramatically increase at certain times, like during the recent festive period, and unfortunately these are also times when we see increases in skimming, phishing attempts, and cyber-attacks. Because of the number of incidents and the alarming statistics released over the years, consumers feel rather insecure when shopping online and more specifically every time they need to use their card details. Recent high profile data breaches have affected consumer’s confidence and the feeling of being insecure during a transaction, which in turn has had an impact on the number of purchase transactions. Businesses need to ensure that all necessary steps are taken towards the security of their customer’s data so that they can eventually bring them back into their trust. 

“Modern society depends on trust more than we realise, and the basis for that trust is security. The trick, says the security guru, is preserving the forces that allow us to trust one another, while also knowing who not to trust” Bruce Schneier, Renowned Security Technologist. 

For businesses and more specifically all merchants across the globe, the Payment Card Industry Data Security Standard (PCI DSS) tries to achieve a security standard. The PCI DSS lays down the fundamental ground work for merchants to step up and achieve an acceptable level of security while protecting their customers’ data. This is achieved by following the PCI DSS requirements to the letter and by having specialised people, who are not just simply auditors, but trained and approved Qualified Security Assessors (QSA’s). It is very hard to achieve 100% security or to treat security as an out-of-the-box product. It’s an ongoing process applied to many disciplines and at different levels according to the needs, the requirements, and the goals set forth. In other words, security needs to be considered and treated as; 
“The state of being or feeling secure, by having the ability to avoid being harmed at an irrecoverable level, by any risk, danger or threat, when/for protecting a specific asset” Dr. Grigorios Fragkos, Senior Information Security Consultant, SysnetLabs. 

A business’s level of security needs to be resilient to an evolving world of cyber-threats, frequent hacking attempts, new emerging technologies and threats against outdated systems, to mention but a few. For that reason, the Security Standards Council in an attempt to further protect businesses and consumers has released the PIN Transaction Security Standard (PTS). The PTS standard enables Point of Interaction (POI) vendors to develop and bring to the market, devices that offer protection against such evolving attacks. As a precautionary measure, the Council mandates that these POI devices must have a lifespan of six years after the retirement of the security requirements against which they were validated. Due to the ongoing nature of security this predefined lifespan indicates that these devices may not be able to withstand the latest generations of attacks, and therefore need to be replaced as soon as feasible. 

Consequently, businesses and merchants not only need to follow the PCI DSS requirements in order to ensure the security of their customers’ data, but also be aware of other factors affecting their holistic security position such as the expiration of Point of Sale (POS) and POI systems. For further information regarding this list of PTS Devices with expired approvals the Council provides a complete list here

Sysnet Global Solutions provides a complete range of information security consultancy and assurance services. At Sysnet we always try to think outside-of-the-box when it comes to security and more specifically when it comes to compliance, a special focus for us is the various Payment Card Industry (PCI) standards. Where we use pragmatic and risk based solutions to help acquirers, independent sales organisations (ISO’s), global financial institutions, payment service providers and merchants across all industries, in achieving and maintaining their compliance. To learn more about our Consulting Solutions or for more information about our services, please visit Consulting Services or email

-- This is a blog post I created for Sysnet and I am reposting it here for historical purposes. This was originally posted here

No comments:

Post a Comment