Strategies for securing retail payment data
André Stoorvogel, Director, Product Marketing in the Payments Group at Rambus
Verizon recently released its annual Payment Security Report. And for retailers, the report highlighted significant areas for improvement in encrypting data, securing transmitted data, and authentication.
This should serve as an industry-wide wake-up call, for the impacts of data breaches cannot be underestimated. The average consolidated cost of a breach is $4 million, and this will undoubtedly increase for European retailers when GDPR comes into force, where fines can total up to €20 million or 4% of total annual turnover (Source: SecurityIntelligence).
The long-term reputational impact must also be considered. Consumers rank data breaches as one of the most damaging factors to a brand, on the same level with environmental disasters (Source: Dark Reading). Consequently, 19% of consumers avoid retailers who have been hit by a major breach (Source: Innovative Retail Technologies). The good news is that retailers are being proactive and looking to take control of their payments activity. Ovum report that of the 80% of retailers entering payments, 40% cited security considerations as the main driver (Source: Ovum).
Securing retail payments with digital wallets
As retailers look to bring payments in-house, there are various approaches to consider. Deploying a digital wallet, however, may not be an immediately apparent option.
This is perhaps because the value of mobile wallets may be seen in the ability to provide a seamless and enhanced buying experience to consumers. But digital retail wallets are also a highly-effective means of improving payments security and mitigating risk.
Protecting data with payment tokenizationTokenization technology is a key component to a truly secure digital retail wallet. Payment tokenization replaces a customer’s primary account number (PAN) with a unique payment token that is restricted in its usage, for example, to a specific device, merchant, transaction type or channel. This means tokenization can help to secure in-store transactions made via mobile wallets across differing payment technologies, such as NFC, QR Codes or BLE. It also reduces the risk and impact of card-on-file fraud using stored credentials.
Adapting to omnichannel retail
For many retailers, however, the distinction between in-store and e-commerce/m-commerce has become blurred. For example, a consumer may choose to shop in store, but checkout through an in-app payment within their mobile wallet. In response to changing consumer behaviours and trends, EMVCo has released version two of its tokenization specification to address emerging use-cases and ensure a secure remote payments environment. This is undoubtedly good news for retailers, as it will further enhance mobile wallet security by bringing the fraud prevention capabilities of dynamic tokens to increasingly popular checkout options, such as in-app and online payments, and recurring one-click-ordering.
Securing payments beyond tokenization.
In addition to tokenization, various other technologies and protocols can be incorporated into digital retail wallets to provide additional security protections. Biometric authentication, for example, provides an extra, visible layer of security, and can be deployed in parallel with other authentication protocols such as passcodes. For hardware-grade security, secure elements and trusted execution environments isolate data and applications from the operating system. And on an application level, code obfuscation and white box cryptographic techniques hide or obscure sensitive code, data and algorithms.
Adopting a layered approach
It is clear that digital wallets that leverage tokenization are an effective means of ensuring secure retail payments, enabling retailers to adopt a modular, layered approach that is tailored to their own requirements and, importantly, strikes the right balance between security and convenience.