New Era of Smart Cards – All that You Need to Know about Secure Payments

Payment Security

The U.S. market is the No. 1 target for credit card thieves, accounting for 79 percent of the stolen numbers, shows new data from Gemini Advisory. That’s 60 million American card numbers out of the 75.9 million that were for sale globally during the 12-month period (from November 2017 to October 2018).

Merchants really need to do their homework, and at least try to be prepared. And the vendors must be prepared for both – for data theft and for criminals using stolen data in the stores. After the October 2015 EMV (Europay, MasterCard and Visa) deadline, the financial burden lies solely with the retailer if they are not EMV compliant and cannot receive chip and PIN cards.

The card networks also offer their own customer verification products – including Verified by Visa, Discover’s ProtectBuy, Mastercard SecureCode and American Express’s SafeKey – to consumers and merchants.

What is out of scope?

In short, it means eliminating sensitive cardholder data from the POS software, passing only non-sensitive data.

If the data is going from one system or server to another then it is being transmitted and must be encrypted. It does not matter if the networks are not internet or public facing. The intention is that data is in clear only in memory for the minimum time required for processing.

The vendor must only decrypt or translate cardholder data on the data-preparation or personalization or cloud-based provisioning network and not while it is on an Internet or public facing network.

When out of scope, the POS transmits transaction details to an EMV terminal. The terminal securely communicates with the processor, then passes a response back to the POS. Since the POS never receives sensitive cardholder data, it is less exposed to cybercriminals.

Choosing your POS system it’s wise to consider out-of-scope solution – that takes the POS system completely out of the payment authorization process. No cardholder data is ever sent to the POS, and staying out-of-scope keeps your business safe and secure.



Tokenization is a method of card protection utilized for card storage. Credit card data is transmitted to the processor’s gateway where it is converted into a code or token. The token is transmitted to the POS software application where it can be stored for future access.

The benefit of tokenization is that if a merchant’s system is breached by hackers, tokens have no real value to criminals because they do not contain any card information that can be used for fraudulent transactions.

Point to point encryption can be combined with tokenization to accomplish this level of security.

Remember, that tokenization only solves the second half of the transaction life cycle: the initial transmission of the card data to the gateway needs to be secured.


Online fraud

The impact of launching EMV-technology is that fraudsters shifted their efforts to online fraud: card-not-present losses surpassed card-present losses for the first time in 2017.

To protect themselves the merchants can require users to enter a CAPTCHA verification process proving they’re a real human rather than a bot, and require a card verification value (CVV) – the three or four-digit code printed on the back of your card.

According to the EMV Migration Forum, a pro-EMV industry group, there are several precautions designed to deal with the expected onslaught of CNP fraud, including:

  • Authentication methods: Device authentication, one-time password, randomized PIN pads, and biometrics
  • Fraud tools: Proprietary and transactional data used for fraud analysis and risk management, and validation services
  • 3-D Secure: Messaging protocol that enables real-time cardholder authentication during an online transaction
  • Tokenization: Replaces card data with a “token,” which has no value outside a specific merchant or transaction

And there are more sophisticated fraud prevention options which include software that monitors the location, device and IP address of the purchaser – to make sure they match that of the card’s true owner. Monitoring for purchases that do not comport with the purchase patterns of the true card owner is also helpful.


How to secure my data?

According to the Payment Card Industry (PCI), 71 percent of cybersecurity attacks are aimed at small businesses. So it is very important to understand the risks.

The PCI provides in its Data Security Essentials for Small Merchants: Guide to Safe Payments security basics to protect these highly-targeted small businesses against payment data theft and to help small merchants simplify their security and reduce their risk.


How is your business at risk?

Think carefully about whether you really need extra features such as Wi-Fi, remote access software, Internet-connected cameras, or call recording systems for your business. If not properly configured and managed, each of these features can provide criminals with easy access to your customers’ payment card data.

If you are an e-commerce merchant, it is very important to understand how or if payment data is captured on your website. In most cases, using a wholly outsourced third party to capture and process payments is the safest option.


Use trusted partners

  • Payment terminal vendors
  • Application vendors
  • Payment system installers (integrators/resellers)
  • Service providers that perform payment processing, or e-commerce hosting or processing
  • Service providers that help you meet PCI DSS requirement(s) (for example, providing firewall or antivirus services)
  • Providers of Software as a Service


What is PCI DSS?

If your organization handles credit or debit card information, you likely need to follow the Payment Card Industry Data Security Standard – PCI DSS. This is a set of requirements designed to ensure that all businesses that process, store or transmit credit card information maintain a secure environment. That means if you accept card payments, you must be compliant with these requirements.

Shortly, PCI DSS is a reference source for security requirements designed to ensure the confidentiality of bank cards and credit cards when used in IT systems.

Small merchants may be familiar with validating their PCI DSS compliance via a Self-Assessment Questionnaire (SAQ). PCI DSS standard defines a common security level that covers the vast majority of requirements – this has become a benchmark in electronic payment security.

PCI DSS is edited and maintained by the PCI Council, a professional association of credit card companies that includes VISA, Mastercard, American Express, JCB and Discovery.


The PCI Data Security Standard

PCI Security Standards are technical and operational requirements adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. Although compliance is technically voluntary, a failure to comply usually results in undesirable consequences. Sometimes a business that is not PCI DSS compliant lowers its industry standards and increases the likelihood of credit card fraud or security breaches. Moreover, a non-compliant business can be penalized by fines.

The PCI standard is divided into requirements:

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need to know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security for all personnel

For a vendor to continue to accept payment card services, it must implement and monitor how its system applies the PCI DSS. Large organizations are usually audited annually, smaller businesses are allowed to simply report their compliance.


Control your vulnerability

PCI External Vulnerability Scanning service shows if you have security holes and an open door into your network for cybercriminals. This is a cloud-based service, so there’s no hardware or software to install and maintain. Just subscribe and login to experience an easy-to-use scanning solution that gives you complete visibility and control.


Utilize firewall

One of the primary requirements of the PCI DSS is to have a properly configured firewall in place because for businesses with an Internet connection, firewalls are the first line of cyber-defense.

If your business utilizes Internet-facing Web applications – in particular, an eCommerce site that accepts card payments – the PCI DSS requires that you either utilize a Web Application Firewall (WAF) or have your website reviewed annually (or after any changes). Most merchants don’t have the resources to engage a technical expert to review their site after changes, so a WAF is an optimal alternative.


Learn about the ways how retailers use Erply

Manage products, fulfill orders and control sales with Erply

erply PIM