Security is only as strong as the weakest link
You’re reading Entrepreneur India, an international franchise of Entrepreneur Media.
India is becoming a world leader in online and digital payments, both in terms of the volume of payments made and the rate at which online payments are increasing. For this to continue, consumers need to know that businesses are making the safety of their payment card information a top priority. As a result, more and more businesses are relying on third-party payment service providers for payment processing, as this allows them to focus on their core business while outsourcing these services to specialists.
Even if you outsource, you still have a duty of care to your customers
One of the brilliant things about outsourcing your company’s payment security problems is that it is no longer your responsibility to make sure your customers’ payment data is secure, right? This is one of the most common misconceptions about data security, and it can be a career-ending error for any business owner or decision-maker.
When somebody pays a merchant for goods and services – whether a pair of trainers, groceries, a hotel room or a restaurant meal – that merchant is responsible for the transfer of the data to the payment service provider. If the merchant has not implemented the right security processes and applied them to the transfer process, then customer payment data is vulnerable to theft at all points during the transfer process.
This situation can allow a merchant to be the victim of what is called a “Man in the Middle” attack – a form of data theft that occurs when a hacker sits in the middle of a transactional process between two parties. With this attack, hackers insert malware that redirects merchant transaction data intended for the payment service provider to the criminal. When this occurs, all payment data being redirected comes through the hacker first and the hacker then sends it on to the payment service provider. The payment service provider is often not aware that this attack occurred. The hacker then packages up the data and sells it to the highest bidder. In the most extreme examples, hackers have been known to sit in the middle of these processes undetected for more than four years.
Know your customer? Know your supplier.
The second issue is that anybody can become a payment service provider. It is the responsibility of a business owner, operations executive or IT manager to undertake proper due diligence before selecting a payment service provider.
Payment service providers must have security controls and processes in place that protect payment card data in accordance with the PCI Data Security Standard (PCI DSS). If customer data is stolen, it is the merchant, not the payment service provider that makes headlines. A lot of businesses that experience major payment data theft fail because the financial and reputational recriminations are simply too great a challenge to recover from.
As a result, it is imperative that merchants ask for proof that their payment service providers have undergone a successful PCI DSS assessment by a PCI Qualified Security Assessor.
India at the payment security frontier
India is one of the fastest growing economies and the popularity of e-commerce and mobile commerce has exploded in recent years. This is fantastic for international and domestic trade. However, the Indian market now attracts truly global attention. As millions of Indian consumers go digital each year – the value of digital transactions using digital wallets has gone up by 64% in just one year – the opportunity for data theft increases exponentially
What business leaders must do
Data security and management is no longer the sole responsibility of data or IT managers – the board of directors, including the CEO, are equally accountable. As a result, there are a number of business imperatives for companies in India. First, the CEO must start to take data security seriously. This starts with hiring someone who will ensure that their security department has the right processes in place, covering both their own security efforts and ensuring due diligence is undertaken with all third parties. This is an issue for businesses of any size.
Second, the CIO must ensure that their security departments are securing payment data, specifically according to the PCI DSS, regardless of third-party outsourcing options. If they are not, customer payment data is not safe.
Third, CFOs must implore their board to invest in data security. No matter the health of the economy or sector, every business has financial pressures and investment in data security must be made a priority.
Fourth, and maybe most important, is training. People are a critical part of keeping payment data safe and secure. Matter how good their payment service provider might be, businesses cannot overlook the importance of training their own staff on security basics. Data security training programmes, which are designed for all levels of staff at almost any type of organization, exist and are available. To protect their customers’ payment data, businesses must make data security education part of business as usual for their staff.
Keeping customer data safe not just an IT issue – it requires people, process and technology working together securely. Failing to conduct secure business is a major reputational issue for any marketplace. To counter this, India’s business leaders have a responsibility to enable and promote payment data protection that ensures the long-term success and development of their own company’s future as well as the wider Indian economy.
Article originally posted by entrepreneur.