Fraud, Payments

What’s the role of encryption and tokenization in protecting omnichannel payments?

  • Retailers today are accepting payments in more ways than ever before, and that is exposing them to new risks.
  • The user data retailers hold makes them vulnerable to cyberattacks, and it needs to be protected using tokenization and encryption techniques.

Email a Friend

What’s the role of encryption and tokenization in protecting omnichannel payments?

American shoppers are paying in just about any way they can, from tapping their phones on terminals to smiling at cameras and waving over readers. Millennials – the largest group of consumers – are especially notorious with this, sporting the highest level of payment diversification of all age groups. For that reason, retailers today are accepting payments in a plethora of ways: cash, cards, ACH, BNPL – you name it. With such an omnichannel approach to payments, however, they are also exposing themselves to new risks.

Let’s look back to the Target and Home Depot breaches, from 2013 and 2014, respectively. In both instances, hackers were able to remotely install malware within the stores' payment devices and networks to siphon off clear-text credit card data. 

The breach ended up costing Target $300 million, and Home Depot $179 million. That’s besides the damage to their brands, as the incidents have headlined papers for years since. While these are examples of some of the biggest breaches in US history, they also highlight the threat that retailers open themselves up to with omnichannel payments.

“Just one breach can cost merchants millions of dollars to resolve, not to mention significantly damage the company’s reputation among customers. No comprehensive payments experience is complete without a comprehensive payment security strategy,” Ruston Miles, founder and advisor at Bluefin, told Tearsheet.

The risk retailers are looking at with omnichannel payments

An omnichannel payment system essentially describes a system that accepts payments through multiple channels – like a website, mobile app, and in-store, for example – such that it creates a seamless experience for consumers as they switch between them. In effect, this looks like a pay online and pick up from store service that many retailers are offering today. 

While the age-old methods of fraud like identity theft and phishing pose risks here too, let's first deal with the specific threats omnichannel payments come with. Card testing is one of them, where crooks use stolen card details to make small purchases that would go unnoticed, to see if the card’s still active. Stolen cards are readily available on the dark web, but oftentimes users block their cards as soon as they go missing or there’s a fear of the credentials being stolen. So thieves test cards to see if a stolen card is usable, and if it is, then bigger purchases can be made.

There’s also cross-channel fraud, whereby criminals may purchase something online with a stolen card, and immediately go pick it up in person. By doing this, they cut down delivery time, giving the owner of the card less time to block their card. Another way fraudsters misuse cross-channel methods is through a return fraud scheme. They may order something online, use it or pull out some of its parts, and use another channel, like in-store, to return the product for a refund. By changing channels, they can often successfully dodge screening processes. 

Now let’s move on to the more high-tech stuff: hacking. Cyberattacks have also become much more sophisticated over the years. Hackers are no longer only targeting payment data, but also personally identifiable information (PII) and protected health information (PHI). PII and PHI can be resold on the dark web at a much higher price than payment card data and can be used for more lucrative types of fraud, such as identity theft. Retailers accepting digital and card payments have extremely sensitive customer data in their backends – data that needs to be protected.

“Hackers have expanded their threat vectors from simple malware in payment devices to compromising employee or vendor credentials, phishing and smishing, and taking advantage of third-party software vulnerabilities – all with the ultimate goal of getting into your system or network,” Miles said.

Once in, hackers can deploy a variety of malware to locate clear-text, payment, PHI and PII, to compromise and monetize. Or they can go a step further and launch a ransomware attack. In ransomware, they can then encrypt a retailer’s files, with decryption only happening upon ransom payout. In case the files have been backed up and there is no need to pay the ransom, hackers could then threaten to release sensitive data to the dark web, if it has not been masked with encryption or tokenization.

Devaluing sensitive customer data with encryption and tokenization

“The COVID-19 pandemic necessitated online and mobile purchases, so you have seen more consumer comfort in not only payment for goods online and through phones, but also entering PHI and PII through these channels. Now, a retailer could have five payment and data endpoints – the POS, e-commerce, mobile, call center, and even an unattended kiosk,” Miles pointed out.

With more payment touchpoints, retailers also increase the attack vector surface, and hackers find more opportunities for cyber-penetration. Companies with unsecured channels – i.e data traveling through the channels unencrypted and untokenized – are opening themselves up to high costs and brand damage in case of a breach.

So, merchants offering omnichannel payments need to make sure they have their bases covered with a security strategy that addresses all the different endpoints available to hackers.

A comprehensive payment security strategy would be one that includes a combination of encryption and tokenization to protect data, both in transit and at rest. This approach devalues data so that in the event of a breach, hackers are not able to compromise sensitive info like credit card numbers or email addresses.

Tokenization and encryption, in combination, are essential to devaluing payment data. When a consumer makes a purchase, their financial information is moving between the payment processor, bank, and merchant. An encrypted system makes sure that it is not the actual credit card numbers, for example, that are moving about but rather tokens that have replaced the actual numbers. Merchants and banks are then able to decode these tokens and authenticate the purchase.

Encryption and tokenization devalues the data. What hackers are really after are consumers’ credit or debit card numbers, and thus direct access to their funds. Encrypted data is worthless to them. Even if they manage to intercept the data in transit, they do not get their hands on any sensitive data.

This got me wondering how payment security burden is distributed among retailers, payment processors, and banks.

“The scope of responsibility for security compliance is the subject of much time, money and consulting, which is a nice way of saying, 'it depends, and retailers may wish to seek guidance on this point.' Any party that touches cardholder data is responsible for its safety, whether the entity is the payment processor, a third-party vendor, or the retailer. And, the retailer is further responsible for formally listing all processors and third-party vendors that store, transmit or process cardholder data on their behalf and confirming PCI DSS Compliance for each annually,” Miles told me.

As the world uses increasingly varied ways of paying, retailers understand that lagging in adoption could be costly. Now, it's time for them to also recognize and manage the risks that come with this adoption.

0 comments on “What’s the role of encryption and tokenization in protecting omnichannel payments?”

Lending, Payments

Can lenders improve the financial health of consumers through design?

  • Design can play a critical role in improving consumers' financial health when it comes to lending.
  • Research by the Financial Health Network shows that areas like defaults, making payments, and borrowing the right amount can be significantly improved through behavioral design principles, to ensure customers make decisions that improve their financial well-being.
Rabab Ahsan | May 26, 2023

5 questions with Zip CEO Larry Diamond

  • Payment act as a beachhead for financial services firms to more deeply serve customers, according to Zip's Larry Diamond.
  • We spoke to the payment firm's CEO about his new focus on the US and the future of the company.
Zachary Miller | May 15, 2023

Microsoft brings payments for businesses on Teams

  • Microsoft has collaborated with Stripe and PayPal to enable in-app payments for small businesses on Teams.
  • Connecting or signing up for one service – Stripe or PayPal – is required to set up the Teams Payments app, with support for GoDaddy in the cards.
Sara Khairi | May 11, 2023

Tokenization, programmable payments, inclusion: Unpacking near-term trends in the payments ecosystem

  • Very little appears to be staying the same where the payments industry stands in 2023 compared to where it’s headed in the next few years.
  • Tokenization beyond cards, borderless rails, credit for the underbanked, and the proliferation of payment acceptance options are some of the near-term trends in the payments ecosystem, suggests a new Mastercard report.
Sara Khairi | May 10, 2023

As Amazon Pay now offers Citi Flex Pay, will it help Amazon close the gap with PayPal?

  • Amazon has partnered with Citi Flex Pay to offer eligible card members the ability to pay over time at merchants who accept Amazon Pay.
  • Will gaining access to Citi's card network enable Amazon Pay to gain an edge over competitors like PayPal?
Rabab Ahsan | May 05, 2023
More Articles