As Threats Evolve, Retailers Must Stay Vigilant

SCApath advises retailers to focus their efforts on protecting data from two perspectives: while the information is “at rest,” and while it’s “in motion.”

One thing very clear. Significant investments are required to shore up payment processes and technology—and to update them on a regular basis.


Protecting Data “at Rest”

This refers to safeguarding payment information that resides in a database.

  • Data encryption involves using an encryption key and an algorithm to produce a ciphertext. This ciphertext is what is ultimately stored within the database website or order management system database. Encryption alone won’t do the job, however; like the deadbolt on a house, this system of protection is only as effective as the organization’s ability to safeguard the key from outsiders.
  • Tokenization refers to using payment tokens, or an exchange of information that eliminates any reference to the original payment information. Simply put: customer data is handed over to a third-party system, which returns an entirely different set of numbers. To get access to the data customers originally provided, retailers must verify their identity.


Both encryption and tokenization are excellent ways to protect customers’ payment information, but they work best together.

Some retailers go a step further, tokenizing payment information before sending it over secure channels and tokenizing the encrypted number a second time. This approach offers one of the highest possible degrees of security.


Protecting Data “in Motion”

Information in transit is equally vulnerable.

  • Secure Sockets Layer (SSL) is the leading security protocol on the Internet, and it’s widely used to validate the identity of a website or server. Through the use of SSL, retailers can ensure a handshake between applications is confirmed before information is exchanged. This reduces the likelihood of a hacker intercepting the data mid-stream.
  • Point of entry security is paramount. Call center computers must be scanned for the latest keystroke tracking software. For every in-store transaction, payment information must be encrypted immediately from within the payment terminal prior to being transported over secured means.


In addition, in-store payment terminals should be regularly audited to make sure modified credit card readers have not been fitted over the original terminal. Although small in scale and labor intensive, this method of stealing credit card information is used at retail stores, ATMs, gas station pumps, and everywhere else credit cards are scanned.