Payment data security: What to know and how to protect your business

The threat is evolving. Can you evolve and meet the challenge?


Retailers are under attack, and criminals want their payment data. As recent headlines attest, hackers and thieves are evolving, and they’re gaining access to millions of credit and debit card accounts each year. According to Trustwave’s 2013 Global SECURITY Report, [tweet_quote]96 percent of all data breaches have targeted customer records such as payment card data and email addresse. More than 69 percent of attack victims have been businesses in the retail, food and beverage industries.


So how can retailers solve this problem? Ken Harris, general manager of global payments at NCR, provides some answers.


Q: Who has been most vulnerable?


A: More than 73 percent of data breach victims have been in the United States, according to the Trustwave report. There are two primary reasons for this trend: 1.) there are simply more credit and debit cards in the U.S. than anywhere else in the world, and 2.) the U.S. has been slow to adopt EMV chip and PIN technology that provides additional card security. U.S. cards instead use magnetic stripes that are easily compromised.


Q: How do these criminals operate?


A: These aren’t amateur hackers we’re confronting. They are very sophisticated criminal rings that are constantly evolving their strategies and techniques to outsmart retailers and foil payment data security. The process typically begins with one group that gains access to a retailer’s system. They then sell that access information to a group that maps the retailer’s network. That information is then sold to malware developers, who in turn sell memory-scraping malware to criminals that monetize the operation through credit card fraud.


Q: Are there any quick fixes?


A: Many believe that point-to-point encryption (P2PE) will solve all problems, but truth be told, it’s not a silver bullet. The real problem is access to retailers’ networks. Sure, P2PE it will make it hard for criminals to decipher credit card data if it’s stolen. But the fact remains that if they accessed that information—despite being encrypted—they still compromised the retailer’s network. Instead of focusing solely on P2PE, retailers should also look at all network, firewall and remote access settings and procedures. Monitoring these issues would prevent about 95 percent of all data breaches, because if thieves can’t get in and out of your network, then they can’t steal your payment data.


Q: How can retailers manage payment data security in the future?


A: Each retailer needs to create an internal group of people who are stakeholders in security for their company. They need to meet on a regular basis, talk about current threats, and create a plan of action should a breach occur. That plan should constantly evolve, because the threats are always evolving. As soon as you let your guard down, you’ll be in the headlines.


Look for Part 2 of this blog series coming soon, where we will go in-depth on the “Four Rings of Payment Data Security,” and provide additional tips and best practices. In the meantime, if you’d like additional insight and analysis into payment data security, contact Ken Harris at