The Payment Transformation

Since the dawn of transactions between humans, the physical point of the transaction has served as a key instrument in the prevention of fraud, financial theft and mistakes. Letters were sealed by their senders with wax and an impression that was unique to them, ancient Roman tax collectors would carefully examine coins to ensure they weren’t fakes and cattle ranchers would brand their cattle with hot irons to prove ownership. Even the relatively modern (in the scheme of things) cash register of the early 1900’s would have a marble slab for coins that would enable the merchant to drop the coin onto the slab and determine, by sound, if the coin was real. Even to this day we have pens to mark money to determine if it’s counterfeit. Imagine trying to pass a fraudulent Roman coin to a tax collector that saw ten thousand coins a day or modifying a cattle brand that a buyer was used to seeing daily. The standards for being a bad guy were pretty high in those days, not to mention the penalty for screwing it up, which was often death. The key theme here is that the Point of Sale (POS) used to be a key mechanism for ensuring the validity of a transaction, reducing fraud and catching bad guys. One would have to imagine that the guy who passed the fake coin to the Roman tax collector and got discovered didn’t make it far from the POS. Anybody stealing cattle with a fake brand in North Dakota in the 1800’s would have been making a request for a cigarette and a last meal. 

Enter technology. The payment transaction has changed more in the last two decades than in the last two millennia. What is the POS? Is it the physical cash register? The mobile phone? The website? The online payment services or e-Check? Exactly where does the transaction take place and who is the arbiter of authenticity? Transactions are easier than ever before because human beings have leveraged technology to make them easier, and this is a benefit to all of us. Where we’ve suffered is in replicating the Roman tax collector, the cattle buyer, the marble slab or the counterfeit marker pen in preventing fraud. As the era of the ‘knuckle buster’ credit card ink roller ended, we created some pretty decent standards for securing credit card transactions. However, we could have never anticipated the POS coming from everywhere.  

It’s time for change.   

Secure payment is not a product, it’s not a process, it’s a collection of the right things to do. Digitally, replicating the role of the human being at the POS by preventing fraud, determining the validity of the consumer and handling disputes. We need a way to replicate the handshake. 

In the cyber security world, we must expand beyond the Cardholder Data Environment (CDE) and evaluate our payment applications end-to-end. Finding vulnerabilities before the enemy does requires identifying the consumer and the merchant. We must deploy technology in a meaningful way to protect data from financial theft and optimize our previous credit card security investments in unique ways. For instance, tokenization, privileged access management, and point-to-point encryption are fantastic methods for reducing risk to personally identifiable information. 

Secure Payment is a by-product of great application security, network segmentation, encryption, identity and access management, threat intelligence and incident response. A secure payment lifecycle is not “checking the box” for compliance with a standard, and it’s also not about reducing scope to as few devices as possible. 

Securing payment transactions is truly a function of leveraging what we’ve learned over the last twenty years and adapting our approach to a new era of business and a broader scope of the transaction. 

We need to become the industry that can authenticate the wax seal, know the sound of a gold coin bouncing off a marble slab or recognize a cattle brand. It’s on us to ensure the next millennia of transaction has the same effect on progressing society as the last two have. 

In the white paper, Building a Secure Payment Lifecycle, Optiv expands upon the 12 Payment Card Industry Data Security Standard (PCI DSS) requirements, and it describes additional considerations that influence merchants’ ability to attain not only compliance but also solve top payment security challenges.