What’s Next After TLS: The Basics of Merchant Security

By: Michele Rizzo, Senior Channel Marketing Manager at TSYS

The 6/30/18 TLS deadline was a major concern for the payments industry. In fact, some analysts worried that it might resemble the EMV changeover and the difficulties it brought many companies. Any potential confusion with the TLS migration could have resulted in lower processing volumes, impacting revenue streams and ultimately eroding trust between payment companies and their customers.

Thankfully, the TLS deadline came and went without any significant issues. This is a success for the payments industry not only because of the smooth transition, but also because this change means that payments are safer as a result.

Now that TLS has passed, there are no major security changeover deadlines on the horizon. So what should you be telling your merchants about payment safety and security? Of course, every situation is unique, and each merchant needs to tailor the specifics of their approach to their particular situation, always in consultation with their payment partners. But there are 5 steps that can put various merchants on the path to greater security in the post-TLS world.

1. Update to EMV. Thankfully, it’s very rare to be asked to swipe these days—dipping is far more common. And that’s a good thing—Visa has estimated that fraud is down 76% among merchants using EMV. But there are still many holdouts in the realm of EMV, especially in verticals like the restaurant industry.

Businesses refusing to switch to EMV was more common in the early days of the changeover, when processing speeds were slow, and the liability issues were little understood. But speeds have improved, and fraudsters have begun specifically targeting non-EMV merchants. Those who swipe instead of dipping face not only increased liability in the post-EMV era, but they are tempting fate by possibly facing fraud at a higher rate now that non-EMV merchants are part of a much smaller pool for criminals to target.

EMV has not only drastically decreased the frequency of in-person fraud, but when merchants accept EMV they also face lower liability if fraud does occur. That means there’s no only greater safety, there’s improved financial security that brings with it a far greater ease of mind in case anything does happen. There’s no downside to taking EMV, and every merchant should be sure they do.

2. Use solutions that can update remotely. Today fraudsters evolve far faster than the time it takes for most businesses to buy a new device. By the time your device is only months old, there may be a new type of fraud that payment companies are trying to protect against. That’s why you need to be sure that your payment solutions update automatically in order to stay one step ahead of criminals.

The best way to do that is to use cloud-based technology that can constantly patch and update itself. That keeps your store and your customer data safe, and anytime a new threat is discovered, you’ll quickly be protected. And it’s not just about fraud, either—many times new payment technologies are introduced, and remote software updates limit the necessity of the types of hardware updates that hampered the EMV changeover.

3. Utilize encryption. Encryption is a crucial way to keep customer data safe while enabling simple transactions. P2PE encryption is recognized by the Payment Card Industry (PCI) Security Council as the best method of keeping transactions safe from the moment a card is inserted, and, as we’ll discuss more further down, it’s crucial for any business that takes payments to listen to the advice of the PCI Security Council.

P2PE can help to simplify compliance in the PCI-DSS realm, and it minimizes the need for penetration testing and firewall deployment as well. These processes in normal circumstances can take up a good deal of a merchant’s time, drawing them away from the core tasks they’d rather be doing, so it’s a boon to businesses to minimize their requirements in these areas. P2PE lets merchants rest easy knowing they’re more secure, and they can spend less time on compliance processes.

4. Follow e-comm protocols to label red flags. As in-person (card-present) fraud has become more difficult in the post-EMV era, criminals have migrated to the online realm. The reason criminals have made this move is not just because of EMV, but also because preventing fraud during online transactions can be challenging. But it’s not impossible, and it’s important to make every effort you can to minimize CNP fraud.

Start with the staples of online security in CVV and address verification, but that’s not enough. Look out for certain red flags for potentially fraudulent transactions. Is it a first-time shopper, perhaps making an extremely large order? Is the shipping method or location strange or uncommon for shoppers from your site—perhaps international? Merchants must work with their e-comm partners to understand how they can verify suspicious transactions—or they need to find solutions that will do such a task automatically.

5. Follow the guidelines of the PCI Security Standards Council. We mentioned the PCI Security Standards Council in the P2PE section, but their recommendations go far beyond just P2PE. The PCI Security Standards Council offers a wide range of recommendations and guidelines to help merchants protect their customers and their business. Merchants should check in regularly to ensure they are up to date on the topics.

It’s important to go beyond these five suggestions, and if you’re working with a merchant, take the time to find out more about their particular situation and customize your suggestions. After all, some merchants may not use e-comm, while others may be doing most of their sales by the internet, for instance. In that situation, it requires a different emphasis on preventing card-not-present fraud.

It’s crucial for merchants as well as payment companies to realize that there’s always more to be done, and there will be more updates on the horizon. But the basics remain as important as ever for businesses trying to keep sensitive data private and secure. And these five crucial steps can help to significantly improve a business’s standing in security.