Fighting Fraud: Improving the Security of Your Unattended Payments

In today’s world of online fraud and data breaches, one fraudster can cripple your entire business. Building security into your payment solution is no longer a nice-to-have – it’s an absolute must-have.

Merchants with unattended payments environments must deliver a high level of security for their customers, which means ISVs need to build advanced security technologies into the payment solutions they design.

But how much security is enough?

As it turns out, “enough” may be more than you think.

Customers can now purchase big ticket items like smartphones, tablets and cars (!) from kiosks and vending machines. As self-service payments become even more widespread, industry leaders like Amazon Go, Google Pay and Apple Pay are recognizing the need to protect themselves and their customers against fraud, using methods like pre-securing funds against customer cards, or requiring biometric authentication to complete a purchase.

Let’s look at some of the other tools ISVs can use to protect their merchants (and their merchants’ customers) from fraud and data theft, starting with the essential standard – PCI compliance.

PCI Compliance Is Fundamental for Self-Serve Payments

One of the most common questions we get asked is whether our platform is PCI compliant. The answer is, “Of course!” It has to be: PCI compliance is nonnegotiable in the payments industry.

But what does it mean?

When a company is PCI-compliant, it adheres to the security standard set by the Payment Card Industry Security Standards Council (PCI SSC). Not surprisingly, the standard itself is referred to as the Payment Card Industry Data Security Standard (PCI DSS). Every organization that accepts, transmits or stores cardholder data is subject to PCI DSS.

PCI DSS includes several levels and requirements, but at a high level it ensures all transactions are encrypted and data is destroyed after processing. In the unattended payments environment, that’s essential, especially when customers can’t see what’s happening with their private information.

While PCI DSS is fundamental, it doesn't cover all angles. To really protect data, you need more advanced technology, such as end-to-end encryption and tokenization.

End-to-End Encryption and Tokenization Offer More Protection

PCI compliance notwithstanding, the nature of unattended payments creates more risk of being compromised. ISVs are wise to incorporate extra security technology in their solutions, starting with end-to-end encryption.

What Is End-to-End Encryption?

End-to-end encryption (E2EE) is exactly what it sounds like: Data transmitted from sender to recipient is encrypted to prevent hackers from accessing it in transit. E2EE uses a process known as asymmetric cryptography, which can use public-private key pairs or a derived key that uses symmetric encryption to protect data.

Here’s how it works in its simplest form:

Let’s say Sam and Jean are communicating sensitive data. Their shared system assigns each of them a public key and a private key. When Sam sends a message to Jean, he uses Jean’s public key to encrypt (or lock) the message on his device. When Jean receives the message, she uses her private key to decrypt (or unlock) it. The process works inversely when Jean responds.

The messages are protected because they can’t be decrypted without the receiver’s private key.

How E2EE Protects Customer Data in Unattended Payments Environments

The beauty of E2EE is that it protects customer data even in the event of a security breach. In the past, merchants could see the raw customer credit card data, handle it, and send the payment on its way.

When an unattended payments solution uses E2EE, the raw card data is never exposed. Merchants get an encrypted payout that gets sent up to their payment gateway for handling. Merchants can still access the reporting they need about the type of card, transaction amount, and whether the payment was accepted, but they never see the card number – which means a hacker won’t either.

What Is Tokenization?

Another way to protect data is with tokenization.

Tokenization is different from encryption in that there is no translation or decryption involved. The token is like a poker chip – it takes the place of sensitive data that is stored elsewhere and is used to retrieve that data when it arrives at its destination. It has no value or significance, so if the token is compromised, there is no data to steal. It means nothing by itself and there is no relationship between the token and the data it represents.

How Tokenization Works in Unattended Payments Environments

When a customer swipes, dips or taps their credit card, the primary account number (PAN) is substituted with a token – the PAN isn’t transmitted, making the transaction more secure and reducing the risk that any data breach would result in fraudulent activity.

Taking this a step further, tokens can be single use and allow ISVs to move sensitive data to a secure vault without having to transmit within their environment prior to processing the payment.

We put this technology in place for one of our ISV clients that specializes in advanced point of sale systems for the car wash industry. They wanted to mitigate the fraud that can be easy to perpetrate in these unattended environments – for example, when a customer uses the app to wash a friend’s car. The payment system needed to identify and prevent the fraud without damaging the customer relationship.

Our solution: We helped the ISV create a monthly pass program offered via a smartphone app. Each month, customers can purchase either unlimited washes and vacuums for the month or a lower tier that caps to one wash per day and 50 vacuum credits. For additional charges, customers can also add multiple vehicles onto family plans. Tokenization securely stores the customer’s payment information and serves up bar codes for the customer to scan at a kiosk before using their washes and vacuum time.

DUKPT Protects Transactions Individually

ISVs that want to ensure the highest level of security can use a technology known as Derived Unique Key Per Transaction, or DUKPT.

DUKPT is a key management system that sends a one-time encryption key for every transaction so even if one transaction is compromised, the rest of the transactions – and the system – are safe.

How DUKPT Works

The DUKPT process is set up to erase any trail of how data is encrypted.

It starts with what’s called a base derivation key (BDK), a super-secret key that is safely stored by the payment processor. Each device is assigned an initial key based on the BDK and the device key serial number (KSN).

That initial key is used to create a group of unique derived encryption keys (session keys) before it is erased from the device. For every transaction, a session key and its corresponding KSN is used for encryption. The session key is then erased.

When the encrypted transaction reaches its destination, the KSN matches with the BDK to derive encryption keys using the same process but in the inverse. Even if a fraudster or hacker were to breach an encrypted payload and somehow reverse engineer the data – which is nearly impossible – the encryption key is only used for that single transaction.

Your Payment Processing Gateway Should Make Security Easy

Using security technologies like PCI, E2EE, tokenization and DUKPT, ISVs can develop payment solutions that offer merchants extensive protection for their business and their customers.

At Worldnet Payments, we know the importance of data security in self-service and unattended payment environments. We’re PCI-certified, included on both the VISA and MasterCard service provider lists, and we offer the highest level of payment data security.

Simplify your PCI-DSS journey by leveraging Worldnet’s products and expertise. Contact us today to talk about options for securing your clients’ payment data.