Comment: Secure third-party relationships to fight CNP fraud

Card-not-present (CNP) fraud reached an all time high in Europe this year, according to FICO. What's clear is that whilst EMV is very successful at reducing face-to-face fraud, the criminals simply migrate to the next weakest part of the payments chain, which is CNP. Rather like squeezing a balloon, reducing the size of the balloon in one place simply results in the balloon expanding in another area.

In terms of CNP fraud, we are seeing many organisations use the services of a third-party payment provider to remove cardholder data from their environment.

Whilst this is a very understandable and positive step, there are some key risks that you should be aware of and some critical steps that organisations should follow to help ensure that by using a third-party provider you are not introducing weaknesses into your system. These are outlined in the PCI Council's Third Party Security Assurance guidance, including:

What is clear is that if you are going to use a third party, firstly check to ensure that they are PCI DSS compliant and that this compliance has been assessed by an independent qualified security assessor.  If your third-party provider supplies and manages the payments page of your website, then please pay careful attention as to how and when the customer is re-directed. Unfortunately there are many solutions which can allow the criminal to gain acces to the cardholder data.

I definitely recommend reviewing the full document available online. A PCI Special Interest Group including merchants, banks and third-party service providers developed the recommendations. The full document includes high-level suggestions and discussion points for clarifying how responsibilities for requirements may be shared between an entity and its third-party service provider, as well as a sample responsibility matrix that can assist in determining who will be responsible for each specific control area.

CNP fraud is real and is happening here in Europe – unfortunately the figures do not lie. It is up to you and your organisation to adopt and implement the PCI DSS as well as utilising all of the support and guidance available to make sure it does not happen to you.

Jeremy King, international director of PCI Security Standards Council, will be writing a regular column for Essential Retail on payments and security.

Click below for more information:

PCI Security Standards Council