Don't Become a Target for Payment Data Theft

As if the recent data compromises affecting more than 115,000,000 cardholders among Target, Neiman Marcus, Michaels, Aaron Brothers, Marriott and Sheraton, to name a few, are not enough, experts are predicting data breaches may increase in 2014.[1] Are your payment security measures as strong as they could be? Wash away all the marketing hype and hyperbole, and learn why TrustCommerce clients rest well, knowing that their customers’ data is secure. These best practices protect payments and reduce the risk and liability associated with accepting electronic payments.

1. Utilize Point to Point Encryption (P2PE) to Transmit Data Securely

Data is useless if it can’t be read. TrustCommerce has been encrypting sensitive cardholder data for our clients since 2001 and supports point-to-point encryption (P2PE) through the use of encrypting devices. Why is P2PE important? It protects payments in transit – from the initial swipe, or key entry, to settlement. With TrustCommerce’s integrated software solution, payment processing is not possible without the TrustCommerce key-injected point-of-sale (POS) device, helping to prevent “malware” attacks. With P2PE:

Cardholder data does not enter merchant environment
Merchant does not hold the keys to decrypt the data

2. Use the Right Hardware

TrustCommerce is an advocate of SRED (Secure Reading and Exchange of Data) devices with hardware encryption and supports several different hardware encrypting devices from major manufacturers. Encrypting at the card reader, more secure than using software encryption, protects against POS RAM scraping malware such as that used in the recent data breaches. For back office and call center environments, encrypted 10 key devices are strongly recommended to encrypt the card information as it is keyed into the system. These encrypting devices are separate from the users’ keyboard where keystroke malware can reside.

The key is to encrypt the cardholder data at the earliest point of the interaction. Remove the data; thereby removing the risk and liability.

3. Combine Tokenization with P2PE

Tokenization is a great complement to P2PE. It replaces sensitive Primary Account Number (PAN) data with a unique identifier known as a token, which, as long as the token is derived independently of the PAN data, is useless to anyone who may intercept it. Merchants can use the token to facilitate on-demand, subscription, or recurring transactions without the risk or liability associated with storing the sensitive PAN data, which is stored securely in TrustCommerce’s encrypted environment. Once generated, payment tokens are used as if they are the actual primary account numbers or cardholder account numbers (CHAN) for any supported payment types.

TrustCommerce has taken the responsibility of storing, managing and protecting sensitive cardholder data through tokenization since 2001, enabling our clients to reduce their exposure, liability, risk and cost of PCI DSS compliance. TrustCommerce was a market leader in utilizing this innovative approach, which through research, development, and experience has matured to the most robust solution.

4. Keep Risky Cardholder Data Off Your Servers

To reduce risk in a transaction one needs to reduce the points at which data is at rest along the journey. For e-commerce merchants this would involve a seamless redirect where data keyed by the customer goes directly to TrustCommerce’s servers keeping sensitive cardholder data off merchant systems. TC Trustee API was designed to allow the merchant’s payment page to post directly to TrustCommerce’s servers without redirecting the customer away from the merchant’s site. To the customer, it’s seamless. But for the merchant, the credit card information is never exposed on their systems thus reducing risk and liability in the event of a breach. This solution can also reduce PCI DSS scope because web applications fully implementing TC Trustee API do not store, process, transmit, or even see the payment card data.

Known in the industry as “transparent redirect” or “Embedded API with Direct Post”, TC Trustee API is an embedded feature of the merchant-hosted payment form. TC Trustee API code posts financial transaction field data from the customer browser straight to the TC secure processing platform.

5. Restrict User Access

Although users can’t access customer PAN data within TrustCommerce’s encrypted environment, it is still a good business practice to limit the access to information to only those that need it. To assist our clients, TrustCommerce has user access controls that can be managed by the client to limit access to our payment solutions. For example, restrict reporting access; limit reporting and processing to only transactions an individual user creates; and more.

6. Educate and Train Regularly

Having strong security solutions in place is imperative, but employees are also critical to ensuring safe business practices. Criminals will continue to grow more sophisticated, therefore, it is important to educate and train employees regularly on proper methods for information security. Ongoing discussions can help keep your organization security minded and alert for areas of concern. New and valuable lessons will be learned as details of the recent breaches unfold. Keep the dialog open and share helpful resources with your teams.

Don’t be a target for a data security breach. Safeguard your organization using the TrustCommerce TC SMART Products detailed in this article. Our integrated solutions protect payments during transmission, processing and storage.

[1] http://www.usatoday.com/story/tech/2014/01/13/target-retail-industry-hacks-2014/4460441/