Card-not-present (CNP) fraud reached an all time high in Europe this year, according to FICO. What's clear is that whilst EMV is very successful at reducing face-to-face fraud, the criminals simply migrate to the next weakest part of the payments chain, which is CNP. Rather like squeezing a balloon, reducing the size of the balloon in one place simply results in the balloon expanding in another area.

In terms of CNP fraud, we are seeing many organisations use the services of a third-party payment provider to remove cardholder data from their environment.

Whilst this is a very understandable and positive step, there are some key risks that you should be aware of and some critical steps that organisations should follow to help ensure that by using a third-party provider you are not introducing weaknesses into your system. These are outlined in the PCI Council's Third Party Security Assurance guidance, including:

  • Conduct due diligence and risk assessment when engaging third-party service providers. These will help you understand the services provided and how PCI DSS requirements will be met for those services.
  • Implement a consistent process for engaging third parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.
  • Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship.
  • Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring programme.

What is clear is that if you are going to use a third party, firstly check to ensure that they are PCI DSS compliant and that this compliance has been assessed by an independent qualified security assessor.  If your third-party provider supplies and manages the payments page of your website, then please pay careful attention as to how and when the customer is re-directed. Unfortunately there are many solutions which can allow the criminal to gain acces to the cardholder data.

I definitely recommend reviewing the full document available online. A PCI Special Interest Group including merchants, banks and third-party service providers developed the recommendations. The full document includes high-level suggestions and discussion points for clarifying how responsibilities for requirements may be shared between an entity and its third-party service provider, as well as a sample responsibility matrix that can assist in determining who will be responsible for each specific control area.

CNP fraud is real and is happening here in Europe – unfortunately the figures do not lie. It is up to you and your organisation to adopt and implement the PCI DSS as well as utilising all of the support and guidance available to make sure it does not happen to you.

Jeremy King, international director of PCI Security Standards Council, will be writing a regular column for Essential Retail on payments and security.

Click below for more information:

PCI Security Standards Council