They say that rather than following trends, you should create them. But additionally, new trends can be formed from past experiences. As we reflect on 2015’s payment trends and look ahead to 2016, the New Year brings with it the promise of new beginnings. Big topics like EMV and malware covered most of what happened last year, but also shapes the frame of the payments world for 2016.
Bluefin’s Part 3 of the 2015 payments wrap-up focuses on trends for 2016 – Cybersecurity Across Organizations, Securing Omni-Channel Payments and Tokenization.
1. Cybersecurity – An Evolution Across Organizations in 2016
In a recent interview conducted by Bankinfo Security, Lance Hayden, Managing Director at the Berkley Research Group, was asked to sum up 2015 in just three words. Without hesitation, Hayden answered, “wake up call.”
2015 has indeed been a wake up call for any organization accepting electronic payments. Retailers, insurance companies, universities, and government entities alike fell victim to the massively damaging data breaches caused by thieves hacking into their Point of Sale (POS) systems and stealing credit card data. Without warning – and with most of the companies not even knowing their network had been hacked by cyber thieves until thousands, if not millions, of their customer’s proprietary information was already stolen – the organizations that were breached quickly had to shift to damage control, spending millions on data breach recovery to the tune of $159 to $174 per record, as reported in the Ponemon Institue’s 2015 Cost of Data Breach study.
Meanwhile, the devastating breaches were heavily reported, spreading throughout the public sector and marking 2015 the year that data breaches rose to epidemic status.
The breaches of 2015 have led to a new way (aka trend alert) of thinking for organizations and how they incorporate cybersecurity into their overall corporate strategy.
No longer will IT be left holding the bag from a failed security plan. The noise that comes after a data breach is much more external these days – public scrutiny, fines, press, regulatory involvement – and the accountability now goes all the way to the top of the organization. Executives and board members are realizing that they too are held accountable in the event of a breach, and as a result, organizations will be more aware of the reliability from a business perspective.
Hayden explains in his interview “Cybersecurity as a Competitive Advantage” that executives who may not have once understood the importance of security are becoming aware and are starting to make a direct connection between business and security requirements. The organizations that have this vision will use cybersecurity to competitively differentiate themselves from their competitors.
“Security needs to be a part of the corporate enterprise strategy, which means security needs to be part of what the organization uses to competitively differentiate itself from other organizations,” Hayden says. “We’re going to see some companies that get really better at defending themselves, and we’re going to see other companies that get better not only at defending themselves, but at leveraging what they’re doing in that regard to actually compete in the marketplace.”
2. Securing Omni-Channel Payments
Even thought EMV adoption has been slow out of the gate, and the debate over how effective the U.S. version of EMV (chip and signature) is versus Chip and PIN (used in Europe) continues, EMV is doing its job of deterring fraud attempts for card present transactions. In 2016, we should expect to see merchants continue to adopt an EMV strategy, but the jury is still out on how big of a fraud decrease we will see.
EMV adoption is perfect timing in the minds of hackers to focus on an alternative avenue for fraud – card not present (CNP) and ecommerce transactions. We learned of many successful malware hacks on retailers in 2015, and data breaches will continue to trend in 2016 unless technologies like PCI-validated point-to-point encryption (P2PE) are implemented.
P2PE secures all omni-channel POS systems – brick and mortar payments, over the phone, mobile or tablet, as well as payments made via a kiosk or an unattended device – and encrypts the card data within the point of entry device (where card is swiped or dipped), rendering the card data useless to hackers trying to steal it by using malware to break into POS systems. Technologies that encrypt card data are key to preventing CNP fraud that results from hackers using stolen card information from a POS. If you can’t get the credit card data from a retailer, then you can’t use that credit card data to purchase online – it’s a simple as that.
3. Tokenization – Protecting Stored Data
As payment choices continue to expand, technology will attempt to keep pace by offering new data security tools to stop the ever-adapting cyber criminals. It’s a tough road ahead, as statistics show that the criminals are continuing to find ways to win over payment technologies put in place to stop them.
As of yet, there is no one solution to prevent credit card fraud, but many experts are suggesting a multi-layered approach to data security and fraud protection that includes tokenization. And as we saw with new payment methods such as ApplePay, tokenization extends beyond credit card payments to alternative payment schemes.
But in credit card processing specifically, storing customer credit and debit card numbers “in the clear” opens merchants and enterprises up to huge potential for hacking and fraud. Tokenization has become an increasingly popular technology, preventing sensitive cardholder data “at rest.” Tokenization works by removing the PAN (primary account number) from the merchant’s POS system, replacing it with a “token” or random character string, which takes the place of the actual card numbers, rendering the data useless to criminals. A recent First Data study explains that tokenization:
“Vastly reduces a merchant’s risk if a data violation occurs. Customer payment data housed in back-end systems by merchants is one of the main opportunities for data breach. Criminals can insert malware to extract large amounts of sensitive cardholder information. For example, in 2010, 49 percent of almost 800 breach investigations were attributed to malware. The tokenization process eliminates actual cardholder data from entering a merchant’s environment after a transaction has been authorized. If a merchant’s system is breached, the criminals would get the token numbers, which are useless gibberish to a fraudster and cannot be monetized.”
Tokenization compliments both EMV and PCI-validated P2PE, providing the strongest, multi-layered strategy to protect card data.
And that wraps up our review of 2015 and what’s to come in 2016. For more information on how to protect your card data, check out Bluefin’s PCI-P2PE, tokenization, and cybersecurity solutions today, and we’ll talk more in 2016. Happy New Year!