Payment card fraud in Card Present (CP) situations was dramatically reduced wherever EMV technology was adopted. Originally developed by Europay, Mastercard and Visa and first implemented in Europe, EMV involves the use of smart cards with embedded microchips used to store the user’s PIN and applications and encryption algorithms.
This made payment cards almost impossible to clone thus eliminating one of the major methods in use by criminals to make fraudulent purchases. The knock-on effect of this positive development, unfortunately, was a corresponding increase in the levels of fraud in Card Not Present (CNP) situations such as when the merchant accepts payment card details online or over the telephone system.
The PCI Security Standards Council recently published a white paper in which they broke down the areas where payment card data received over the telephone could be at risk. These include the people involved, the process itself, and the technology.
Measures to mitigate the risk from the merchant’s staff and contractors include promoting a security culture within the firm and limiting access to sensitive customer account information to those with a definite need to know. The process can also be refined to minimize risk with one example being the exclusion of any means of recording card information from the order-taking environment.
One other important measure implemented by Curbstone Corporation (and other providers) for our clients is the secure offline storage of card information in case a of security breach in their systems. The service does provide returning cardholders with the opportunity of accessing their card numbers stored on our secure platform through tokenized processing.
The technology used is also of prime importance including the use of networks insulated from the organization’s other internal systems and from the exterior. The security of the merchant’s technological environment also involves limiting physical access to the equipment and regular checks to ensure the system is free of malware and key loggers.
The white paper goes into much more detail about measures that merchants can take to secure card information obtained over the phone and, crucially, which aspects of the process in various scenarios fall under the scope of compliance with PCI DSS.
Compliance with PCI DSS is complex and it is in the merchant’s interests to both minimize the scope of their environment per the applicable standard and adequately conform to the requirement. Curbstone Corporation has long experience in assisting our clients in determining that scope and moving towards compliance.
Curbstone Corporation’s secure technology processes about $2.4 Billion per year for merchants on the IBM i (AS/400, iSeries) platform, for phone orders, e-commerce, and retail.