payments - Retail Systems

Recommendations

Info

RS 36 RS June - July 2012 roundtable A SB: I think that extends because PCI – and this is another message that’s poorly communicated – is a way of securing your business. Obviously for the larger organisations you have IT departments that protect you day in and day out but as you move down that payments ecosystem to the smaller merchants you don’t have that. The data protection act is going to be a real force here in the UK in terms of fining and forcing public declaration of data breaches, which is going to kill merchants. If they’ve adopted systems being driven by the banks to adopt things like IT and they suffer a data breach in other areas because they weren’t taking the proper precautions, then who are they going to blame? It’s going to be whoever was influencing them down this route, so our view still has to be holistic. Merchants can’t think of internal encryption as absolving them of all responsibility for card data, you’re still going to have to police your staff. That’s the bit that worries me. MG: I think the main issue with changing the way you do things, or de-scoping – whatever you want to call it – is that we’ve seen customers that implemented tokenisation and left their legacy systems in-situ. And so what’s actually happening if you do a scan for credit card data is that you find it on the legacy systems. Technically that system is still in scope even though the new system is totally fine. And again that’s an education problem with merchants. I actually advised on this with larger merchants as well as the smaller ones. GT: Isn’t the issue, as you implement point-to-point encryption or de-scope on e-commerce or your call centre, you’re actually starting to complete different self assessment questionnaires, so it’s quite clear which rules still apply and which do not. So, with point-to-point encryption in the PED, there’s still going to be audit requirements around that but they’re going to be different from a complete SAQ D format. JK: You’re going to simplify your PCI DSS compliance process significantly, provided that you’re using an approved point-ofsale device in a face-to-face environment and all the card data is going through that device. So it does make life a lot simpler if you can use the point-to-point encryption in the face-to-face environment. Even with legacy systems, you shouldn’t have card data in that store. Then you have to make sure you don’t have any card data through people calling you up and complaining or wanting refunds. You should move all the data to your data centre, which are designed to be more secure and they’re easier to audit. In January the European Union produced a proposal on data protection that says you have to inform your information commissioner within 24 hours of a breach. At the moment the law says that if there’s ‘serious harm’ or if it’s a ‘significant breach’ then you must notify, but it doesn’t define what that is. If you have a breach and you’re found to be the cause of that breach, the proposal is that they can fine you two per cent of your global turnover. I think people should be forced to notify if there is a breach because the problem becomes publicised. AY: Jeremy, I remember you saying that on average in Europe there are a couple of breaches a week but they were never reported. So there are a lot of victims out there too. JK: Yes, there are a lot of victims out there. Because governments in different countries say a serious breach must be reported, but they don’t say what a serious breach is. The good thing about publicised breaches is that it persuades of retailers that they need to invest in security because they could be next. AJ: Can we just discuss that there is only one reason for actually needing card data – Connie alluded to it – and that is when you need to bring the information to court. CP: I’ve been told by organisations I’ve worked for that everyone there needed card information to do their jobs. I did the analysis, I talked to the people I needed to talk to and I removed the data without there being a big blow-out about it, nobody picked the phone up and said: ‘I can’t do my job today.’ AJ: Alex, you said that it was key for your organisation to have the data. AH: I made the point that the solutions by payment providers were not fair, so that you could go ahead and not have the data. What we’ve found is that you describe your high level business need, so what you want is a secure transaction but at the end of it you also want to know about transaction rates. In that scenario we want the solution that works for us, we don’t want to lose the customer, we don’t want to force them to re-enter their card number, we want to save that card and that only became available about a year ago. And the reason why we worked towards level one, it was a suspected breach in 2006, that’s how I got to know a lot about the technologies out there. We looked at a lot of payment providers and finally got PayPoint to do what we wanted but only after a very long journey and many years of waiting for them to come up with a solution that works. So you can do tokenisation but not with 3D Secure – which one is the bigger driver? Today I can’t see why a retailer would need to store data, apart from the minor chargeback cash office type transactions, they have to because they get them faxed by a bank. That’s the only time I can think of a full card number validly being held by a business.
GT: So you’ve got the token, you can send the token into the cloud and have the cloud de-tokenise it and read the card data to the bank without the agent listening to that information. AH: But a chargeback when a customer says: ‘I didn’t make this purchase’ the acquirer themselves send you the full card number to query the transaction. That’s the example I was talking about, the only time I can think of that having card data is valid. GT: Again we’ve got to educate the acquirers on this. I know they email you with this information but some of the acquirers are the least PCI compliant organisations. They should be looking at their systems as well because there’s no reason why they can’t provide that information via your cloud tokenised provider – they give you the token and you then have to match to that. Your challenge is as soon as you bring the card data back into your environment that all the advantages of getting to an SAQ A, or an SAQ C, all go out the window because you’re now back into an SAQ D because you’ve now got a process that is managing card data. MG: What Alex was saying obviously has a lot of technical advantages in that it reduces the scope and allows you to do a simpler SAQ. But if you look at requirement 12.A, managing your third parties, and then you look at the proposals of the DPA in the new data protection regulation, it’s putting a lot of emphasis on the fact that in the past the data controller was ultimately responsible. Now the data controller and the data processor can also be held responsible. As Jeremy said, for once in your life you have to read the contract to see where your liability stops and starts. I think that if acquiring banks are going to write to their merchants or to use compliance validation portals to promote outsource solutions for tokenisation and point-to-point encryption and so on, they also need to promote the fact that outsourcing has risks and that needs to be in your risk dashboard and it needs to be fully managed. GT: Well that’s where we have to say: ‘Well done to PCI’ because it’s actually found a way to get that external provider audited on an annual basis and to ensure that they stay compliant between those two audit point. That’s probably one of the best things that’s happened within the security industry because now we do have a standard. JK: If you want to use a service provider who claims they are PCI approved, ask them for their certificate. If they have it they will give it to you because they’re pleased as punch to have it. And if they don’t give it to you, then you just go to another provider. “Make sure your provider is PCI approved. ” AY: I think that’s quite an important point to get across to the Retail Systems readers, because they won’t necessarily know what to look for. If you were going to write a list of the top five things you need to know about PCI, ensuring that your provider is approved or certified is probably up there at number one. roundtable JK: If you’re going to go and deal with a payments service provider, absolutely. Ask them to prove their credentials. AY: So, number one – PCI can be a hassle – outsource it. And number two – make sure your provider is certified. JK: Absolutely. CP: There’s three things that a merchant or a supplier should have; a certificate of compliance, an attestation of compliance and a ROC – record of compliance. This is very important. The middle one, the attestation of compliance is the jewel in the crown because no company will ever give you their ROC because that’s confidential information. The certification of compliance is just a certificate that the QSA can produce but the real gem, that PCI requires to be completed, is the attestation. It tells you exactly what has been audited, what has been assessed, even within the different environments. GT: And the same applies for tool lenders. And with the attestation comes an implementation guide which the QSA has written. So if you’re deploying a certain tool it tells you exactly how it needs to be deployed in your environment to remain PCI compliant. It’s not enough to say that you’ve got an assessed tool there; it’s only if it’s deployed in a certain way that it is compliant. RS June - July 2012 RS 37
Page 1 and 2: Sponsored by awards Celebrating Inn
Page 3 and 4: FIRST CHOICE FOR TECHNOLOGY PURCHAS
Page 5 and 6: RS Editor Karen Moss karen.moss@ret
Page 7 and 8: Standing the test of time A Traditi
Page 9 and 10: Click & Collect elsewhere John Lewi
Page 11 and 12: FOCUS Retail systems multi-channel
Page 13 and 14: challenge against LoveFilm although
Page 15 and 16: Maximise your online revenues by bl
Page 17 and 18: A breathe of fresh air Casio’s ne
Page 19 and 20: Continental style Retail Systems fi
Page 21 and 22: at a glance MAY PayPal’s 15 milli
Page 23 and 24: thoughts from the frontline With th
Page 25 and 26: SBU, Wipro Technologies, says: “W
Page 27 and 28: contents 26..... Underlying risk Mo
Page 29 and 30: “A more convenient token based on
Page 31 and 32: strategies, says Richard Paterson,
Page 33 and 34: Aqil Nasser, Debenhams’ technical
Page 35 and 36: you’re looking for. So, this is i
Page 37: environment. Anyone who is a servic
Page 41 and 42: soapbox During a time of economic s
Page 43 and 44: While facial recognition technology
Page 45 and 46: type solution within its armoury th
Page 47 and 48: Unpredictable weather patterns are
Page 49 and 50: A subscription to Retail Systems gu
Page 51 and 52: Imagine the scenario - a young fema
Page 53 and 54: Don’t miss out To be kept up-to-d
Page 55 and 56: direct commerce software D I R E C
Page 57 and 58: D I R E C T O R Y O F K E Y P L A Y
Page 59 and 60: D I R E C T O R Y O F K E Y P L A Y
Page 61 and 62: Keith Bird is CEO of e-commerce pla
Page 63 and 64: The Fifth Annual Retail Systems Mul

payments - Retail Systems

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?