Executive Insight: 3 Ways Merchants Can Ensure a More Secure 2016
By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation
For merchants, there is an all too common tendency to “fire and forget” when using security tools. You might have just completed your most recent PCI DSS (Payment Card Industry Data Security Standard) assessment, installed new antivirus software, or added EMV. While each of these solutions can offer fortification to your business’ overall security practices, it’s a mistake to think that security is something that can be achieved with a single validation, update, implementation, or the addition of a new process. This issue can also be compounded if a security solution is part of a third-party technology because you may be unfamiliar with these technologies or the requirements for their proper implementation and configuration.
The concept of 100% complete security is a falsehood. Consider your home as an example. Is it secure if you add the most expensive locks to your front and back doors, but then leave your kitchen window open? How strong is the door itself? What if thieves slip in through a side door that you unknowingly left unlocked? The security of payments, as it is in all areas where security needs to be maintained, is a diligent and unending fight. What you need to do is utilize all the tools and practices available to make it so inconvenient for payment card data to be stolen or misused that the bad guys seek easier prey. This is accomplished by using a variety of strong and innovative security solutions combined with daily practices to maintain a consistently secure environment.
As 2016 begins, we encourage you to consider 3 ways that you can reduce your risk and better secure consumers’ payment card data. As always, we’re here to provide guidance as well as the industry’s strongest payment security tools. Here are a few ways that you can assure that consumers’ payment data is as secure as it can be:
- Layer payment security tools to minimize risk.
There is no silver bullet for data security. That’s one of the reasons we’ve designed our security tools to layer on top of each other. All of the following solutions are available with our DOLLARS ON THE NET® payment gateway. Individually, each tool serves its own specific purpose to shrink the scope of your PCI DSS assessments as well as the risk of experiencing a breach. When used together, they create a much larger security toolbox.
True P2PE™ – True P2PE encrypts all cardholder data (CHD) at the point it first interacts with a payment device, keeping all point of sale (POS), property management systems (PMS), and payment processing environments free from the burden of storing CHD. This leaves nothing but your secure payment devices in scope for PCI DSS assessments. At card-present points of sale, including mobile points of sale, True P2PE assures that CHD never enters your payment processing environment, helping to eliminate significant amounts of vulnerability.
TrueTokenization® – TrueTokenization replaces sensitive CHD with a random, alphanumeric value called a TrueToken® to simplify PCI compliance and assure that CHD is never stored in your payment systems. Combined with True P2PE, TrueTokenization allows the business operations that once required payment card data to remain intact while assuring that you never store, process, or transmit sensitive CHD.
4tify®, Tokenization Your Way® – Shift4 has adapted our security solutions, including TrueTokenization, to secure the most card data touchpoints in the payment industry. Often times, Shift4 has solved payment security problems that our competitors haven’t even considered yet. When configured and used correctly, the following solutions can provide an additional layer of security for every card data touchpoint in your payment processing environment:
- 4Go® is a patented, Payment Application Data Security Standard (PA-DSS) validated software application that provides an additional layer of security at the Windows driver level to assure that sensitive CHD doesn’t enter your POS application from physical points of entry (i.e., card swipe or dip). 4Go has the ability to work in concert with True P2PE for even greater security, and may help extend the life of non-compliant POS and PMS systems by becoming the system of record for PCI compliance purposes.
- i4Go® protects Web-based or Web-enabled e-commerce and omni-channel environments from falling victim to hackers by intercepting CHD and replacing it with a TrueToken before it enters your Web server, a hosting provider’s system, and your POS or PMS systems used in card-not-present or call center scenarios.
- 4Res® is used primarily by hospitality merchants to remove CHD from a central reservation system and/or global distribution system and replace it with a TrueToken before it enters a merchant’s PMS, keeping the environment free of sensitive CHD.
- 4Word® is a service used together with TrueTokenization that allows a merchant to securely share accepted payment card information with a trusted third party (i.e., another merchant) to process one-time payments on a consumer’s behalf. 4Word keeps the payment processing environment free of sensitive CHD and fully logs all applicable card activity, even if that third-party merchant is not a Shift4 customer.
EMV – The purpose of EMV chip cards is often misunderstood. EMV is not a true security tool, but rather an authentication method at the payment card level, that individually validates the payment card to help protect you from having to shoulder the liability for certain types of payment card fraud. DOLLARS ON THE NET supports the processing of EMV chip cards and also provides the tools you need to prevent CHD from entering your payment systems.
- Vet the tools and operations throughout your entire environment often.
You can implement as many security tools as you like, but it’s essential that you vet the tools and operations within your own environment first and check in on them regularly to ensure that you are secure and PCI compliant. Are you properly segmenting your networks? Are you updating your software solutions and patching them on a regular basis? If you haven’t assured that CHD cannot enter your payment systems, then a forgotten server, poorly secured entry point, or weak password can become a pathway for skilled hackers to enter that system and steal CHD. Be sure that the individual you are relying on to maintain the integrity of your operating environment has the ability and clearance to make informed decisions.
- Consult the PA-DSS implementation guides to ensure all tools are being implemented and used according to PCI guidelines.
When you install new solutions or update existing ones, make sure that the prerequisites are understood and applied according to the PA-DSS implementation guides. These implementation guides are the “PCI gospel” and provide in-depth detail about how your business can implement a payment application securely and accurately, as well as your responsibilities for maintaining security in order to be PCI compliant with a particular security technology.
As explained in the PCI DSS, securely implementing payment applications is a key way for merchants to ensure that they have a compliant environment:
“Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide provided by the payment application vendor (per PA-DSS Requirement 13.1).”
These implementation guidelines are an essential part of your PCI DSS compliance. And, although we recommend taking further steps to maintain an environment that provides Security Beyond Compliance®, being compliant is the minimum standard to meet prior to exceeding it.
Many of our merchant customers have already implemented all of these security tools in order to close that “side door,” making the bad guys move on to other targets where they can more easily find and exploit weaknesses. When employed together and properly configured, our full suite of security solutions help you move into a security framework where CHD doesn’t reside in your payment processing environment, making it incredibly time consuming and inconvenient (if not nearly impossible) for hackers to steal CHD. After all, They Can’t Steal What You Don’t Have®.
At Shift4, we continue to make it harder for the bad guys to steal CHD. In addition to offering the most innovative and efficient accounting, auditing, and reporting features, we provide the latest security solutions so that it’s easier for you to be secure (and by extension compliant) while still performing business as usual. But like most things these days, you need to routinely check in to ensure that all is still well with the world as it relates to your payments. The fortification that works perfectly today may have a chink in the armor as time goes on if you are not performing regular checks on your environment. The need to help maintain merchant payment security is one of the primary reasons Shift4 continues to innovate and perfect our services and why we offer so many layers of security technologies. With today’s hackers being organized and even backed by nation states, false nation states, and terrorist organizations, maintaining the security of your payment-processing environment isn’t just harder, it’s more important than ever before.
Remember, rather than an achievable end goal to meet, it’s more accurate to think of security as a constantly moving target. You need to have vigilance and rely on payment solution providers who are vigilant, too. We are here to support you in your payment security and compliance efforts, so if you need any help or guidance at all, just ask.