With COVID-19 we are seeing a shift from bricks and mortar to e-commerce, particularly in the retail sector – James Reynolds takes a look at what companies can do to ensure they are PCI compliant and online payments are protected.
As companies look at how they will continue to trade during the pandemic, many are seeing e-commerce as the only viable option to stay in business. However, there are those that are moving into the online space without adequately planning their security.
At the start of the lockdown we saw businesses in the retail sector shift their business online in as little as two weeks which has led to growth in associated logistics industries. And there has been rapid growth in sectors such as online gaming which are now relying on e-commerce channels to stay afloat.
This has had an impact on the global payments landscape.
Card holder present transactions have seen a big decline whereas online payments are seeing a sharp increase. Countries such as Germany which have always relied on cash, have boosted contactless payments. Open banking is becoming a reality.
There will be further changes ahead as the global recession kicks in, global spending declines and businesses rush to win online business. The trade-off between speed to market and protecting card holder data has never been greater.
- Be aware. Threats are still the same if not greater — Fake PPE domains and COVID-19 phishing emails are a reality and will increase in number. It’s important you have the technology and processes in place to monitor this and your team are fully aware of the risks. As many as 153,801 malicious COVID-19 themed domains were registered using forged or fake SSL certs by April 28, 2020* and Google is blocking 18m COVID-19 malicious phishing emails per day.
- Don’t capture payment data yourself — This might be obvious, but businesses must rely on a Payment Service Provider (PSP) to ensure card payment data capture is compliant and your clients are protected. It is easy to redirect your site to a PSP to mitigate risk.
- Use the right technologies — Ensure you have in place endpoint security, penetration testing, web risk monitoring, scanning solutions, card discovery software.
- Be aware of new payment channels — The growth in e-commerce and contactless payments has led to changes in the way payments are being made. For example, we are seeing growth in the use of commercial off-the-shelf products such as ipads and android tablets in order to enhance the shopping experience and pay for products online. This can lead to obvious security concerns as these devices are normally not secured.
- Consider the impact of a breach in a recession — As the economy struggles through a global recession the impact of a breach becomes much greater. It is not only the cost of the fine and the associated GDPR risk as data moves beyond the perimeter of an organisation but the company’s ability to pay as revenues drop.
As both a security and technology provider, SecureTrust is well placed to advise on the entire process. We have the largest QSA community in the world, have handled a huge variety of compliance and risk programmes and we have been developing our technologies for 25 years.
Digital transformation is here to stay. The businesses that can successfully meet their security requirements will be the ones that win the race.
It’s also important to consider the financial stability of your security supplier. Small QSA companies might not be able to afford to stay in business. SecureTrust has the backing of a large global organisation.
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
James Reynolds leads SecureTrust’s Sales Organisation in EMEA. With 25 years’ experience in IT Services, he has worked with large global organisations in Business Continuity, Disaster Recovery, Telecoms and Systems Integration. For the past ten years he has specialised in Cyber Security, Risk and Compliance, overseeing complex PCI programmes in multiple regions.