Safeguarding Payments Against Cybercrime

Ross Macmillan, head of research and intelligence at allpay Limited, the UK’s leading payment specialist


Cyber-attacks are worryingly prevalent at the moment, with large, high-profile organisations like the 
NHS falling prey to hackers. Businesses are under threat, so cyber security has become a significant issue – with safeguarding payments of paramount importance.

However, some organisations may not know their systems have been compromised until consultants are called in. Such organisations face being specifically targeted by fraudsters, with the primary risk being in accessing personal data and payment processes. Fraudsters are believed to penetrate phone systems first, if only to gauge potential for access. Therefore, it’s important for businesses to implement the necessary cyber-protection controls now – before it’s too late.

Cyber Security

Organisations should ensure their chosen suppliers meet high standards for cyber security through government-supported and industry-backed schemes like Cyber Essential Plus to ensure they are sufficiently covered.

Here at allpay Limited we recently joined a small number of payment companies in being accredited to this scheme, which verifies that organisations have the appropriate security protocols in place to stave off the most prevalent forms of attack. The scheme discourages suppliers from being irresponsible about cyber security, whilst continuing to protect customer data.

A landmark report on Common Cyber Attacks issued by GCHQ detailed for the first time the common attacks used by cyber criminals. The report used real case studies to explain the nature of the risk and how it can be prevented. Around 80% of cyber-attacks could be prevented if businesses put simple security controls in place. The Cyber Essentials scheme shows how to put these controls in place.

PCI DSS Compliance

Safeguarding payments is paramount in the face of cyber threats and being fully PCI DSS-compliant is a crucial step towards a secure payments environment and reassures buyers that suppliers are taking the appropriate measures to protect data.

PCI DSS, or the Payment Card Industry Data Security Standard, is a set of security standards that any organisation which processes, stores or transmits debit and credit card information must adhere to. By becoming PCI DSS-compliant, organisations can preserve customer trust, ensure compliance, lower costs and, importantly, reduce risk.

The UK Cards Association stipulates that, should a business lose card data and not be PCI DSS-compliant, it faces non-compliance fines and the operational costs associated with replacing accounts, as well as liability for any fraud losses.

Latest revisions of the PCI DSS standards have tightened security requirements, and technology can help to mitigate risks for organisations.

A good example is where organisations are taking payments via their call centres, with the potential for security breaches when handling customers’ card data. Recent innovations such as cloud-based call masking services can help to create a secure environment when operatives are handling card data when processing a payment. By rerouting the call through a secure cloud-based environment, it can completely remove desktops, IT and telephony systems, agents and call recordings from PCI DSS compliance scope, enabling customers to type their card numbers securely into the telephone keypad, rather than speaking them aloud to an agent which can be potentially be recorded and/or stored.

Great Places Housing Group recently procured allpay’s DTMF tone masking solution in order to reduce the risk of fraud and data breaches. The group, which owns and manages more than 18,000 homes across the North West and Yorkshire region, is one of the largest developing housing associations in the North of England, so protecting its database and customer information was fundamental.

Becoming PCI DSS-compliant independently, and achieving ongoing compliance, can be an onerous and complex process for businesses, incurring high fees and using valuable staff time that could be invested more effectively elsewhere.

Outsourcing PCI compliance to a Level 1 PCI DSS compliant payment service provider can make a material difference in administration and cost. For example, outsourcing can see organisations only having to complete a shorter version of a mandatory Self-Assessment Questionnaire (SAQ) to their merchant acquirer. Where SAQ A is the least onerous with circa 10 requirements; SAQ D is the most onerous with in excess of 250 requirements, which would also include quarterly scans of their card payment environment. If the solution is outsourced the organisation only requires the completion of SAQ A.

At a time where protection of data and security is all too prevalent in the news, it’s important to ensure systems are protected – and for this to be done in a cost effective and efficient manner. This needn’t be costly or onerous – with much of the risk, compliance and cost outsourced to third-party providers.

Featured in Finance Digest.