To do a better job of payment security, web retailers should take steps to keep payment card data outside of their internal network, CyberSource says in a new report.
Even with payment data encryption and compliance with industry security standards, web merchants are still at risk and need to rethink their approach to payments security, says a new white paper from CyberSource Corp.
Today Payment Card Industry standards and encryption provide a framework for how merchants can securely store and transmit payment card account data to keep it out of the hands of criminals. But there also are inherent problems in what CyberSource vice president and global services and payment security practice founder Dave Glaser calls “lock down” payments processing. “If you’re like most companies, payments data is spread throughout your organization,” Glaser writes in the white paper: “Enterprise Payment Security 2.0.” “In effect, you have a pipeline of payment activity that intersects multiple business processes throughout the order management lifecycle-and toxic payment data is littered at every point of this process.”
With present payment systems that emphasize encryption, retailers still are only partially protecting sensitive customer information. “Where all the payment data flows, 71% of companies don’t have an accurate inventory of where personally indentified information is stored,” writes Glaser. “Even if you encrypt the data and it is stored in your shop, someone still has access.”
To do a better job of protecting sensitive customer information, retailers should take steps to keep payment card data outside of their internal network. One such safeguard is using tokenization, which changes some of the numerals in account numbers stored by a retailer, while the complete number is maintained off its network by a processing network such as CyberSource. Other precautions include outsourcing procedures such as chargeback recovery and placing customer payment acceptance forms on web pages hosted by third-party payment processing providers.
By taking additional precautions beyond encryption, both the merchant and the customer are more secure. “Enterprise payment security is about brand protection,” writes Glaser. “In the most simple terms, payment data has become a brand liability. To protect your brand, you must separate it from toxic payment data.”