Merchants need to educate themselves about where fraud and cyberthreat actors may strike next and stay current with security measures designed to protect cardholder data.
Cybercrime and payment fraud have become big business. The most productive actors look for targets that will yield payment account information, data they can monetize on the dark web, companies they can hold for ransom, or control that allows them to gain free merchandise or divert funds directly. So, it’s no surprise that payment security remains a top priority for retailers and other merchants.
However, payment security is a game of cat and mouse. As consumer behaviors change and new technologies evolve, solutions must do the same—protecting every step of the payment flow to support secure payment solutions.
Where’s the Target Now?
Threat actors continue to aim for in-store payment devices by exploiting weak points in data transmission. This makes it essential for merchants to invest in encryption technologies and secure payment infrastructures that prevent data breaches at every stage.
But merchants need to look past the payment terminal to ensure payment security. For example, with more payments taking place via mobile devices, there’s an emphasis on application security. The payment security provided by the hardware platform hasn’t gone away, but with emerging technologies such as tap-to-phone, merchants don’t have the advantage of a hardened security platform to protect transactions. The expectation is that software developers are doing more to ensure their applications properly secure cardholder data.
Furthermore, the biggest target for fraudsters – $5.7 trillion globally– is e-commerce, and the cost of e-commerce fraud is expected to total $206.8 billion in 2023. Establishing best practices and securing digital channels is vital, particularly for businesses that are just expanding to do business online.
Artificial intelligence (AI) fraud is also on the payments industry’s radar. With the widespread availability of generative AI platforms now, merchants and organizations throughout the payments chain are posturing to defend against attacks that actors using AI could initiate in the coming years. In response, the Accredited Standards Committee X9 (ASC X9) for Financial Industry Standards is starting up a study group to investigate current AI offerings and the risk they may pose to the financial industry (for more information or to participate, got to https://x9.org/aistudygroup/)
What’s New in Payment Security?
Technology continues to evolve to keep terminals secure and protect cardholder data. This includes the rollout of cryptographic upgrades, the adoption of PCI standards, and emerging solutions like quantum-resistant encryption—all foundational to the future of secure payments.
Payment industry leaders are mapping how the transition to new encryption standards would take place. Certainly you can update software so that it has access to the latest cryptographic methods, but the biggest challenge to overcome is that there are no secure methods or replace existing cryptographic keys with stronger cryptographic keys in the field; to do this, merchants would have to send terminals back to their payment technology providers for re-keying.
Another significant change on the horizon is the implementation of key blocks. Key blocks are a cryptographic wrapping technique that bind a key's use to the enciphered key value, ensuring that threat actors can’t misuse cryptographic keys. As of January 1, 2025, the Payment Card Industry Security Standards Council (PCI SSC) will require the use of key blocks when a payment technology inject new keys into terminals, whether locally or remotely.
Another change in payment technology security is the transition to the most recent version of the PCI PIN Transaction Security (PTS) standard for validation. PCI phases in new versions of its PTS standards that address evolving attack techniques and newer security practices that have become industry norms. This phased adoption gives merchants time to transition. PCI is currently phasing out PCI PTS version 4. For that reason, Ingenico won’t sell devices that are PCI v.4-validated as of April 2024. Instead, we’ll focus on PTS v5 and v6 devices that support new cryptographic algorithms.
The continually evolving payment security space must be a focus for merchants and payment technology and solutions providers that equip them with devices and systems to accept payments. If you want to learn more about how Ingenico is meeting this challenge, contact us.
