10 Years of Payment Security

When considering the vast amount of consumer data housed by companies in the hospitality, restaurants and retail industries, it comes as little surprise that they are highly-targeted among hackers. According to the 2014 Trustwave Global Security Report, retail was the top category targeted by criminals with 35% of all attacks reported that year.  Food and beverage is second with 18%, and hospitality is third with 11%. And cybercriminals are not just focused on large brands, despite the high-profile breaches we’ve seen among them in recent months, from Target to Wendy’s. Smaller franchises face the same risk, as evidenced by a recent cyber-attack at Noodles & Company. In fact, according to a survey by Nationwide, nearly half of cyber-attacks worldwide were against small businesses.

As cyber criminals become increasingly sophisticated, and new and emerging technologies change the way consumers pay, the U.S. payment security landscape is forced to evolve dramatically—and quickly. To address the pervasive threat of cybercrime among small businesses by raising payment card security awareness, the PCI Security Standards Council and the National Restaurant Association partnered to create the Small Merchant Taskforce in 2015. This September marked 10 years since the PCI Security Standards Council held their first North America Community meeting to discuss their mission to foster secure transactions globally. The Council also released additional guidance to help smaller merchants navigate the requirements and create an environment for secure payment transactions. Refer to the Council site for more information on this guidance.

The industry has come a long way in a decade. Visa, for instance, first detected potential fraud globally in real-time in 2005 and required PIN encryption at retail terminals and ATMs in 2010. In 2014, EMVco released the first version of an industry-aligned tokenization specification (the practice of replacing an account number with a substitute value). And today, businesses are grappling with the shift to EMV terminals.

So, what’s next for payment security?
  • Geolocation: Retailers have used geolocation technology to provide localized deals and coupons to consumers to drive foot traffic and purchases in-store. But how can geolocation be used for security purposes, too? We’re seeing credit card processors—including Mastercard and Visa—roll out technologies aimed at verifying a consumer’s location at checkout using data from their mobile devices.
  • Biometrics: Consumers are no stranger to fingerprinting in mobile payments with the rise of Apple and Samsung Pay. Banks and mobile payment processors are now also exploring biometrics like voice and facial recognition to provide an additional layer of authentication. For instance, both Mastercard and LogMeOnce have developed “selfie” authentications, requiring users to snap a photo in-real time to confirm their identity.
  • Tokenization: Tokens replace identifying information (i.e.: credit card numbers) with a random string of characters containing personal data. The PCI now considers tokenization in the future version of the PCI DSS guidelines, as it’s coming to the forefront as a potentially widespread technology to help merchants address vulnerabilities in their networks.
To read more about what was discussed at the 10th annual PCI community Meeting, including the evolution of payment security and industry collaboration and advancement priorities, click here.

How do you think payment security will evolve over the next decade?