How to ensure secure contactless payments

The use of online banking and shopping has grown significantly, but so too has the number of security threats targeting such services. According to the latest Breach Level Index report, 888 data breaches occurred during the first half of 2015 alone, compromising 246 million records worldwide. 

However, while cash and card payments are still the most widespread methods of payment, and though security is a key concern for many people, studies show that UK shoppers increasingly prefer using mobile payments instead of credit cards. If this trend continues, mobile payments could very well become the new norm, especially once the ceiling limit for contactless payments increases to £30 in the UK this year.     

While the need to secure payment transactions and data remains critical, and though there is heightened pressure to comply with credit card payment standards, securing financial data is far from simple. Contactless payment cards will expose sensitive information to anyone using the appropriate wireless equipment. As with all technology, this equipment is becoming ever more readily available and lower cost. So what can businesses do to ensure that their most sensitive data remains protected? 

The payment industry always planned that the risks associated with exposing information over wireless connections would be mitigated by stronger controls put around transactions made over the telephone or Internet. This is why it’s vital for businesses to protect their customers’ data as early in the transaction process as possible by moving to a framework that is centred on the data itself. This means adopting a ‘secure breach’ approach to data protection which focuses protecting sensitive data wherever it exists. 

Rather than focusing on specific points of vulnerabilities, end-to-end encryption secures data from the earliest possible moment of its capture, ensuring that data remains in an encrypted state consistently until it arrives at the payment gateway.  

However, encryption alone is only part of the solution. Organisations should invest in a standards-based enterprise key management strategy that should include specific methods of limiting access to keys, defining how those keys are issued and distributed, and providing protections for them as they are stored. Without these considerations, keys could be copied, modified or even impersonated by a skilled hacker, who could then access cardholder data. 

Being breached is not a question of “if” but “when”. Long term security—as well as business success—will hinge on an organisation’s ability to more comprehensively and strategically manage its security efforts. Only by adopting a data-centric approach that leverages the cloud to secure sensitive information across its entire lifecycle, can companies be safe in the knowledge that their data is protected, whether or not a security breach occurs.