How can you lock the back door when you don't know how many back doors you have, or where they even are?
A cautionary tale
It was a Caribbean summer’s day in 2018 when a Swissport employee going about their daily routine unwittingly became the entry point for a cybercriminal group known as Magecart, wreaking havoc on one of the world's biggest and most trusted airlines and its customers. As the Swissport employee routinely accessed their British Airways network account, the absence of a multi-factor authentication process is thought to be the reason Magecart was able to gain entry to BA’s website and mobile app servers. What ensued was several months of undetected data skimming resulting in the theft of 400,000 people’s personal and credit card information. In 2020 BA was ordered to pay a fine of £20 million.
The threats and vulnerabilities are multiplying
This is one of many well-publicized attacks by hackers resulting in mass card-data breaches. Other less-reported events are taking place somewhere all the time. And while multi-factor authentication log-ins have become standard since 2018, the unavoidable truth is that the sophistication and diversity of threats posed by cybercriminals, as well as state actors, continue to swell.
As the digital economy becomes more and more mainstream the huge benefits of doing business online are inevitably accompanied by new and evolving vulnerabilities. Enterprises today have vast digital ‘environments’, creating an array of vulnerabilities that can be hard to imagine and foresee. These touchpoints sprawl across a supply chains, employee laptops and the many forms of online and in-app interfaces today’s businesses now thrive on, As a payments leader responsible for ensuring the security of your customer’s card data the task of protection can feel daunting.
The payments industry is vigilant
Fortunately, when it comes to the protection of card data, the card schemes and the PCI council are vigilant and committed to ever-better standards. At Checkout.com we take the matter extremely seriously and are pleased to sit on the PCI Council to help shape standards to keep ahead of the threats. Meetings are held on a very regular basis to review and respond to reported attacks thereby amending PCI standards to address real criminal activity.
PCI DSS4 is the latest set of standards that merchants will be asked to begin implementing from March 31st, 2024 to be fully compliant within 12 months. These standards have been directly informed by more than 6,000 pieces of feedback from 2,000 organizations. New standards are always created as a direct response to real reported incidents. Arguably version 4 comes at a time when threat levels to merchants have never been higher.
PCI compliance is challenging but vital for merchants
As a payments service provider, we know the compliance process is time-consuming and can require significant financial investment. Checkout.com is a Level 1 compliant company meaning we adhere to the very most stringent levels of reporting and compliance. We have been through the process and are fully PCI DSS4.0 compliant. It's an effort worth every moment spent and we actively encourage and support our merchants to also ensure they are compliant. From regular company-wide security training, to running scans on all executable files and downloads, from ensuring a named person responsible for every single standard, and building compliance into our payments products - PCI DSS4.0 is upheld in all that we do as an organization.
The requirements in this latest iteration of PCI DSS are technical and many. And we recognize that it can be challenging for a payments leader to convey to their CFO and CPO why the standards matter and are worth the investment. Legal liability, non-compliance fines and large-scale reputational fallout are the high-level answers to that question.
Merchants who are compliant will be protecting their consumers. But they’ll also be protecting themselves - from liability, fines, and significant reputational damage, should an unavoidable breach occur. In such instances a PCI compliant merchant will likely avoid the liability and reputational damage that otherwise comes with major breaches.
New risk-based flexibility
Our view is that this latest iteration of the standards is an important ‘upgrade’ to match the types of threats that now face merchants and their customers in the digital economy. But we also see a new level of flexibility introduced into the standards which we welcome too.
That is to say that while the requirements for achieving certification for previous versions of PCI DSS have been very fixed, version 4 introduces a new risk-based approach. This allows merchants some flexibility in terms of how they prioritize the standards and the extent to which all standards must be met to reach certified status. Naturally, the process for proving that certain risks do not apply to your business can in itself be time-consuming since there will be a rigorous evaluation of evidence that you must submit. Nevertheless, for very large enterprises who feel confident that their risk level justifies a more flexible approach, the process can certainly be worthwhile.
For example - suppose you have 100,000 employees each with their remote desktops. If you can prove that these desktops are not connected to the environment in which you store card data you can potentially avoid or reduce the number of scans conducted. This could obviously provide some cost-savings on the IT required to scan removable media. However, if there is any risk at all associated with your remote desktops it obviously makes sense to invest in the protection provided by quarterly scans.
Protecting payments environments
There are two ways merchants integrate with us. Some merchants elect to use our hosted payments solution. This means that Checkout.com handles the environment in which a customers card details are handed over by the customer (i.e. the online checkout page). In this instance we are responsible for the protection of that data within that environment. Our hosted payments solution, Components, is fully PCI DSS4.0 compliant lifting significant burden from the merchant. In this instance the merchant would need to ensure that the website is protected with a quarterly scan to check for bad actors who may intercept and redirect consumers to a fraudulent payment page. But beyond that we take care of the card data within the payments environment.
For other, often larger, enterprise merchants they may have their own payments environment which integrates directly to our API. Where this is the case the merchant is responsible for the consumer’s card data rendering the compliance process somewhat more involved.
Work with your PSP and QSA
Ultimately the burden of responsibility for compliance sits with the merchant. Payments service providers cannot make their merchants compliant. But at Checkout.com we believe in helping our merchants as much as possible. We work closely to support payments leaders at companies around the world to make their complex jobs that little bit easier wherever we can.
The best and easiest way for payments leaders to achieve compliance is to work with their PSP and Qualified Security Assessor (QSA). At Checkout.com we partner with a leading QSA company and provide their services to our merchants free of charge. This sets us apart from some of our leading competitors who either do not provide the QSA service at all, or who charge for it. We do this because we believe card data security is a cornerstone of the success of the wider payments and ecommerce ecosystem and our mission at Checkout.com is to enable businesses and their communities to thrive in the digital economy. So to us it just makes sense.
Our QSA is striving to ensure better and easier processes for merchants seeking to become certified. This now means that for those who have already been through the process for previous iterations of PCI the all important Self-Assesment Questionaire (SAQ) will perform automatic question mapping to populate parts of the questionnaire, saving you time.
Have your voice heard
Ultimately card data breaches and the standards set to protect against them have the highest impact on merchants and their customers. That’s why we see our role on the PCI Council as being the voice of our customers. We strive to advocate for merchants and the council and card schemes are hungry to hear the merchant perspective. We strongly encourage all of our merchants to speak to us and give us feedback on the challenges they face and the ways in which they think things could be improved. Please do reach out and talk to us. That's how, together, we can keep making the digital economy a better, more efficient and safer place to do business.