Retail Checklist: 8 Tips for Secure Payments Processing

Retail Checklist: 8 Tips for Secure Payments Processing

Retail Checklist: 8 Tips for Secure Payments ProcessingAs a retailer, deciding on a payments processor can be overwhelming. With the recent string of high-profile customer data breaches, security should be the focal point of your provider’s every service and function.

Here are eight security features to look for when selecting a payments processor:

1. VAULTING

What: A vault is used to set up recurring payments. With a vaulting mechanism, customers can enter their credit card information into the vault via the retailer’s website, and set up recurring payments. Stored information can also be used during the next transaction with the retailer. This is the “remember me” option most of us see when making online purchases.

Why: Vaulting makes you more secure as a retailer because you’re not tasked with the burden of securing that data yourself. That responsibility is left up to the payments processor, as is the case with SecureNet’s PCI compliant vault.

2. TOKENIZATION

What: Tokenization is the process of using a unique code to represent a credit card number, thereby mitigating the risk associated with the exposure of the actual credit card number. To give a simple example, if a credit card number was 1234, it may be tokenized as ABCD. ABCD has zero value for a fraudster because it’s meaningless. For the payment processor, however, ABCD references an actual card number.

Why: Rather than exchange credit card numbers, merchants and payments processors can pass tokens, minimizing visibility into a payment account number. And, while breaches can still occur, hackers who infiltrate a token system will find that information useless.

3. P2P ENCRYPTION

What: In point-to-point (P2P) encryption, the card reader at your point-of-sale reads the information on the magnetic stripe of a credit card and transmits an encrypted version of that data to your payments processor, ensuring sensitive information is encrypted at the earliest possible point in your POS system. The processor then is the only party with a device capable of decrypting the data, which it does to perform an authorization.

Why: Data encrypted end-to-end, from the point of swipe to the point of the payments processor, guarantees zero exposure of plain text, non-encrypted information on the part of the retailer. This protects card numbers from a variety of attacks.

4. ENCRYPTED MOBILE HARDWARE

What: Payments processors that offer P2P encryption must also offer mobile encrypted hardware. The actual point-of-sale device at the register, or the dongle that plugs into a smartphone, should support data encryption from the moment it’s obtained via a credit card’s magnetic stripe.

Why: With mobile encrypted hardware, retailers don’t have to rely on their own infrastructure to be as secure as possible because the data passing through is encrypted and useless to anyone who may gain access on the retailer side. Mobile hardware that encrypts the card data at swipe also offers additional protection against malicious mobile applications that may attempt to access the card data if it were present in plain-text form on the mobile device.

5. EMV

What: EMV stands for Europay, Mastercard and Visa. It’s also often referred to as “chip-and-pin,” in which a microchip is embedded on a credit card to serve as a continually changing data point. This makes the card virtually impossible to clone. Look for a payment processor that has the capability to support chip-and-pin on a worldwide basis. EMV is already widespread in much of Europe, and the technology is quickly coming to the United States.

Why: Cards in the U.S. are very easily cloned just by reading the magnetic stripe off of the back. Even if customer data is compromised, it is extremely difficult to duplicate and make copies of EMV credit cards.

6. PCI COMPLIANCE

What: The payment card industry sets a security standard for all companies processing, storing and transmitting credit card information to protect consumers. Standards are enforced on four levels, based on the volume of transactions processed by a single merchant. PCI compliance should serve as a baseline standard when looking for a payments processor.

Why: All processors are required to be PCI compliant, but retailers may require a level of PCI compliance beyond the minimum standard. It is important to look for a processor with the resources to help small retailers meet whichever PCI-compliant standards they may be subject to, rather than going at it alone or hiring a third party.

7. FRAUD PROTECTION

What: Advanced payment processors can now facilitate automated pre-authorization on fraud checks. Sophisticated analyses of behavioral profiling and multi-currency factoring allow real-time payment authorization, minimizing unnecessary voids and reversals. Self-learning machines even update fraud rules at a high frequency to make the process truly automated.

Why: If the payments processor can minimize fraud that is occurring through them, they won’t have to charge more to recoup from charge losses. A robust fraud protection program benefits both the processor and the retailer from a cost perspective.

8. OMNICHANNEL SECURITY

What: Just as omnichannel payments rely on one processor across all channels (mobile, in-store and online), omnichannel security involves one provider to protect sensitive information across all channels. The same, consistent set of security controls, no matter where your processing is occurring, is key.

Why:  By choosing a processor with omnichannel security capabilities, retailers are tasked with managing just one relationship, rather than three separate for each form of payment. Customer information is contained to just one provider, reducing risk and eliminating the need for data duplication across locations.

About the Author

Avery Buffington is an information security architect at SecureNet with over 13 years of experience in the information security and financial services industries.

Featured

  • Agentic AI Will Revolutionize Cybercrime in 2025 According to New Report

    Malwarebytes, a provider in real-time cyber protection, recently released its 2025 State of Malware report, which reveals insight into the emergence of agentic artificial intelligence (AI), plus the year’s most prominent threats and cybercrime tactics. The report details a significant uptick in the number of known ransomware attacks, the total value of ransoms paid in 2024, and how IT teams can address them. Read Now

  • ESX 2025 Announces Expanded Schedule of Events

    ESX has announced its dynamic 2025 schedule, set to provide an unparalleled experience for professionals in the electronic security and life safety industry. Taking place June 16-19 at the Cobb Galleria Centre, this year’s event features an expanded lineup of educational sessions, hands-on workshops, inspiring main stage speakers, networking opportunities, and an engaging expo floor showcasing the latest technology. Read Now

  • City of New Orleans Launches NOLA Ready Public Safety App Before Super Bowl

    The City of New Orleans Office of Homeland Security and Emergency Preparedness (NOHSEP) is pleased to announce the official launch of the NOLA Ready Public Safety App, powered by Motorola Solutions. This new mobile application is designed to enhance public safety and emergency preparedness for both residents and visitors. All individuals planning to attend major events in New Orleans, including the Super Bowl, Mardi Gras, and other large gatherings, are encouraged to download the app. Read Now

  • 5 Tips to Improve Your Password Security

    Change Your Password Day is right around the corner. Observed every year on February 1, the day aims to raise awareness about cybersecurity and underscores the importance of keeping passwords strong and up to date. Read Now

New Products

  • ComNet CNGE6FX2TX4PoE

    The ComNet cost-efficient CNGE6FX2TX4PoE is a six-port switch that offers four Gbps TX ports that support the IEEE802.3at standard and provide up to 30 watts of PoE to PDs. It also has a dedicated FX/TX combination port as well as a single FX SFP to act as an additional port or an uplink port, giving the user additional options in managing network traffic. The CNGE6FX2TX4PoE is designed for use in unconditioned environments and typically used in perimeter surveillance.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”