Pay By Group University: Payment Processing for Card-Not-Present Merchants 103
Welcome to the third part of our adventure into payment processing for CNP merchants! We’re starting to get a clearer picture of the benefits and demerits of various processing options and their associated costs. Let’s dive into a topic that’s near the forefront of every business owner’s mind: payment processing security.
Payment processing compliance safeguards businesses against costly fees and boosts your reputation and customer confidence. Even compliant businesses are still at the risk of data breach, and should take steps to insulate their full payment cycle using data protection, tokenization, and end-to-end encryption.
Major data protection measures include these four prominent steps.
- Encryption: All data being sent across public networks should be encrypted including email, FTP, and phones Merchant partner data protection Since a CNP merchant is responsible and liable for cardholder data shared with business partners, they should ensure that marketing affiliates, fulfillment houses, vendors, etc. are protecting shared this data adequately
- Restricted access to cardholder data: Online merchants should restrict access to cardholder data to only those parties that truly need it, including internal departments
- Secure data storage: CNP merchants should never store cardholder data on their own servers or a system outside a firewall, any any internally stored data should be encrypted or tokenized
- Transaction routing analysis: Analytics can reveal network vulnerabilities due to redundant routing when multiple payment processors are used
Tokenization is the process of replacing sensitive user data with a reversible benign substitute. It create substitutes that are infeasible to reverse back to the original data without access to the secure tokenization system. Tokenization reduces the number of components for which PCI compliance is required and protects both consumer information and a business’s reputation from bad actors. Tokenization is an all-or-nothing approach to security and can’t be implemented piecemeal, unlike other security measures. And yet it is not a be-all-end-all solution and must be complemented by additional layers of security to be as effective as possible.
An emerging standard for tokenization technology is EMVCo Tokenization. Ideally it will be a global standard and is being developed by credit card companies such as Visa, MasterCard, and more. EMVCo is an attempt to replicate “smart card” EMV (EuroPay, MasterCard, and Visa) chips for CNP transactions by tokenizing credit card numbers and including a dynamic component to mask sensitive information.
Like its physical counterpart for smart cards, payment terminals, and ATMs, EMVCo provides businesses with more secure transactions, reduces chargeback risk due to fraud, improves speed to checkout, enhances payment-type acceptance options, and opens new avenues to selling. Customers benefit from better, easier, faster, and more secure payment options across a variety of devices and with an improved user experience at checkout.
Version 1.0 of the EMV Payment Tokenization Specification was published in March 2014 and emphasizes token interoperability using a consistent approach to token routing and authentication and data message formats. It is intended to be compatible with the existing worldwide payment ecosystem and EMV chip specifications to promote a truly global standard.
End-to-end (E2E) encryption
End-to-end encryption works with data tokenization to secure cardholder data through the entire payment lifespan so that businesses never store such sensitive information unencrypted. E2E replaces the relatively typical merchant practice of storing unencrypted cardholder data prior to entering the payment process, which leaves the data vulnerable if a breach occurs. The Target, Home Depot, and eBay breaches of the last two years starkly illustrate the potential outcome of such vulnerability. When E2E encryption is used, hackers and thieves only have access to unusable encrypted information tokens.
Additional considerations when choosing a payment processing partner
We’ve touched on the gateway features and processing options that affect a business’s choice of payment processor in previous articles, but the desired end result of such a partnership should also be considered when weighing this decision. Some such perspectives and capabilities a payment processor should possess are:
Global view of business priorities Consumers increasingly expect online shopping experiences and special offers to be personalized and extremely relevant to their interests, and only the big data, advanced analytics capability, and one-to-one consumer engagement provided by partners with global reach will optimize profitability in this regard
Safe & secure purchasing experience Payment processing partners must be exceedingly transparent about the necessity and security of the information they require from consumers, as any uncertainty in this area creates skepticism and kills consumer confidence
Chargeback fraud & risk mitigation Battling fraud is becoming an ever-more-complex proposition as it escalates across emerging payment technologies and channels. Payment processors must have robust chargeback prevention and recovery and fraud and risk management strategies in place or risk their business partners’ reputations when data is compromised
Methods to lower attrition and churn Since the cost of acquiring new customers is much greater than the cost of retaining existing ones, businesses must ensure that their processing partner helps them provide a seamless and enticing shopping experience and avoids attrition due to unnecessary credit card declines
Constantly adapting to emerging technology The pace of innovation and change in omni-channel commerce is only increasing over time, so payment processors should be scaleable and flexible to adapt to change and support continued business growth. Inflexible, outdated, and otherwise limited processing options will have negative repercussions for the customer experience, and by extension, conversions
Now that we understand the need for and requirements of providing all-encompassing security for businesses that accept card-not-present transactions, and have a sense of the larger perspectives such businesses should entertain when choosing payment processors, we’re coming into the home stretch in our exploration. In our final article we’ll examine recent updates to the PCI standard, the future impacts of EMV technology on CNP commerce, and how businesses can use the information we’ve discussed to weigh the total cost of acceptance. See you there!