We all know the dates. Black Friday. Cyber Monday. Small Business Saturday. Free Shipping Day. For any retailer or merchant, these are the “business holidays” that can mean major sales and major traffic. But while the revenue is welcome, the steady flow of payment card transactions tends to attract hackers.
That’s worth thinking about in light of the fact that many customers will be paying with their phones this year, either by purchasing through an app or by using their phone itself as a payment device in a brick and mortar store. Remember, today’s consumers expect mobile convenience from businesses but they expect mobile security too. Any organization that wants to gain a competitive advantage in the marketplace must offer strong cybersecurity. Customers today are savvier than ever about data theft and many of them do their homework on which businesses to patronize.
What that means for you is that protecting customer data when accepting mobile payments should be a top priority — if it isn’t already. You might need to beef up specific security controls and check that your frontline staff is trained on the right procedures . You’ll definitely need to be aware of the latest mobile payment techniques and understand how to process them safely on your end.
Today let’s talk about the basics of mobile payment security. Since it’s a safe bet that some of your holiday sales will come from smartphones, it’s a smart idea to make sure you’re strong in the following areas:
- Remember that the customers’ data needs to be far from their phones as soon as it’s entered. Ideally, that sensitive data should be kept as close to where it’s used as possible, preferably tokenized by your payment gateway before it even leaves secure infrastructure. Your applications that process this data should be housed on a different server than your database server where the data is stored, with layers of security and auditing in the middle – and it’s even better if your database is a different security zone, without direct access to the Internet, and with stateful packet inspection firewalls in between. Also helpful: query auditing and alerts that identify unusual or out of the ordinary queries and other anomalous events.
- As you know, at FireHost we’re all about multiple layers of security. Here’s one reason why: mobile payments are especially vulnerable to risks that encompass SSL and Web responses. That makes encryption, memory isolation, certificates, and sandboxing all smart precautions. Memory isolation divides memory to prevent loss of information, and keeps memory contained and uncontaminated by other programs. Certificates like the SSL certificate provide client to server encryption and identity validation, always a confidence booster for customers. Sandboxing is vital because it segments running application code to a limited environment in which it can execute, thereby segmenting data and operations executed on it from irrelevant processes and data. This can be especially beneficial when protecting servers and their data from potentially destructive changes or untested code.
- Finally, encryption is always a smart idea when it comes to mobile payment security. Just be sure you’re using strong algorithms and smart key storage techniques. Point-to-Point Encryption (P2PE) solutions can be especially valuable when protecting payment card data as a simple step with a far reach. By encrypting cardholder information prior to its entry on a mobile device, the risk of data interception is severely reduced. Another benefit of using a P2PE solution: your PCI compliance scope is reduced.
That’s a good start to getting your systems in shape for rush of holiday cybersales. In Part II, we’ll talk about the role of tokenization in mobile payment security – particularly how it’s being used with biometric tools and encryption to offer a stronger level of risk reduction that benefits both you and their consumers.