The retail industry is one of the most targeted industries for cyberattacks and data breaches. In fact, research shows that retail suffers more data breaches than the financial services, insurance and hospitality industries. Cybercriminals and hackers target retailers because they know they can easily get their hands on consumers’ personally identifiable information (PII), especially payment card data.
As a result, we’ve all witnessed the headlines for large-scale data breaches at top retailers such as Target and Home Depot, which have negatively affected millions of consumers. These breaches have costly repercussions for retailers, who end up paying fines, legal fees and remediation costs – not to mention the incalculable damage to their brand reputation, the lost sales due to reduced customer trust and often the dismissal or resignation of many executive staff members.
Fortunately, there are steps retailers can take to improve data security and reduce their risk of becoming the target of a breach. A great place to start is the framework and security best practices laid out in the Payment Card Industry Data Security Standard (PCI DSS). Applicable to any organization that accepts payment card data, PCI DSS is organized into six distinct categories with 12 broad requirements, outlining more than 400 security controls that every merchant must implement to achieve compliance. Failure to comply can result in fines ranging from $5,000 to $100,000 per month. In extreme cases, the payment card issuer can even entirely revoke the merchant’s ability to process card transactions.
Complying with the PCI DSS may initially seem daunting, but retailers can ease compliance by reducing the number of applicable PCI controls throughout their organization. Known as “descoping,” this process can significantly cut down on the amount of technology and network infrastructure considered “in scope” of the framework, leading to an overall much less costly and simpler compliance process.
Descoping begins with reducing the amount of sensitive information – including payment card data – that an organization processes and stores. For example, PayJunction’s solutions help retailers reduce the scope of compliance for PCI DSS at the point of sale (POS) by using a cloud-based EMV terminal. This setup allows merchants to run payment cards without ever having to store, transmit or process cardholder data.
But retailers must not limit their data security and compliance efforts to only their POS systems. As the industry has moved to the more secure EMV-enabled chip cards and terminals, cybercriminals are shifting their focus to other channels where card-not-present (CNP) transactions take place, such as call and contact centers. Often deemed a “low-hanging fruit” by fraudsters, retail contact centers saw fraudulent activity nearly double in 2017. So, how can these customer interaction hubs address this issue?
Retailers can reduce the scope of compliance for PCI DSS in their contact centers by using dual-tone multi-frequency (DTMF) masking technologies. These technologies enable customers to make payments over the phone while obscuring the payment card numbers from the agent on the line and from call recordings, which can be breached.
With these solutions, customers simply enter their card number and card verification value using the telephone keypad and the touch tones (DTMF tones) are replaced with flat tones. The card data is encrypted and securely routed to the Merchant Service Provider, never entering the contact center’s infrastructure. As a result, the retailer reduces the scope of compliance with PCI DSS and minimizes risk.
While this technique effectively conceals the card information from the customer service representative, some DTMF masking solutions allow agents to remain on the line, speaking with the customer to help with any issues that may arise. Unlike interactive voice response systems, this approach ensures strong data security without compromising customer experience.
Relying on new technologies alone to secure your contact center is not enough to stop today’s devious cybercriminals and fraudsters. In addition to using secure POS terminals and DTMF-masking solutions in their call and contact centers, retailers should adopt the following best practices:
Ultimately, it’s in a business’s best interest to comply with the PCI DSS because of the tangible benefits it provides. First and foremost, implementing the security controls listed in the PCI DSS framework can reduce a retailer’s risk of experiencing a data breach. Using firewalls and encryption, as well as prohibiting the storage of cardholder information not only makes it harder for hackers to break into an organization, but also reduces the amount of sensitive data accessible in the event of a breach.
Additionally, implementing a PCI DSS compliance program helps an organization cultivate a mindset of strong security among employees. The robust framework of the PCI DSS includes self-assessment exercises that each merchant must complete, which is a great way for an organization to honestly examine its current practices and determine where improvements can be made.
Lastly, and perhaps most importantly, complying with the PCI DSS helps retailers better protect their most important assets: their customers, employees and brand reputation. Thus, avoiding the reputation-damaging headlines associated with a data breach is essential to maintaining a positive brand image and maintaining customers’ trust. By implementing technology solutions to minimize the amount of sensitive data they handle and store, while following industry best practices, retailers can minimize risk and reduce the cost and complexity of compliance.