In the eighteen months plus since the outbreak of the COVID-19 global pandemic many businesses have had to reinvent themselves and adapt not only how they manage their business, but more importantly how they accept payments. Europe like most of the rest of the world saw a major switch to remote transactions and the world of e-commerce. On top of these significant changes, many organizations have also had to confront the practical and security challenges of employees first having to, and then wanting to, work from home.
In this blog, we discuss the challenges of payment security in Europe; Jeremy King, Vice President, Regional Head of Europe for the PCI Security Standards Council (PCI SSC) and James Vale, Head of Payment Security Products & SME PCI DSS Compliance Programme at Barclaycard Payments.
Barclaycard Payments is a member of the PCI SSC Board of Advisors, a board that represents the perspectives of our global community advising, discussing and providing feedback and guidance to the PCI SSC on standards and programs development and adoption as well as the future direction and challenges of payments and payment security globally.
What has changed during the pandemic that will affect payments going forward in Europe?
James Vale: One of the primary changes we saw during the pandemic was the sudden and sharp decline in the use of cash as a payment method, replaced by increased card use. In the UK alone the lockdown announcement on the 23rd March 2020 resulted in an immediate 4% drop in the value of ATM withdrawals (Bank of England statistics).
As stores closed during the COVID-19 pandemic, the pivot from face to face transactions to ecommerce and Mail Order Telephone Order (MOTO) was dramatic. Businesses were very quickly forced to adapt to survive, such as generating a website where they had none, or turning to social media sites to advertise their goods and services. The reliance on footfall traffic was over. According to the Office of National Statistics ecommerce payments grew by 49% in 2020 over the previous year, with the online food sector seeing the largest growth at 79.3%.
Whilst footfall traffic is returning to our high streets and shopping centres, there has been a generational change in how we pay. Those who were previously reliant on cash were suddenly forced to use debit and credit cards for payments. This behavioral shift is one that will not so easily be reversed, and so card payments should continue to rise. The increased contactless limit in the UK to £100 will help accelerate this trend.
Finally, I believe businesses are more conscious than ever of focusing on offering a fast, frictionless payments experience to their customers.
What are some of the main challenges facing merchants in this changing payment environment?
James Vale: I think just keeping up with the demands of the consumer will be one of the biggest challenges. The hospitality industry has been a terrific example of how the payments landscape has changed recently. During one of the lulls in lockdowns here in the UK, I went for a meal with my family at a well-known Asian food chain. What immediately struck me was the presence of a QR code on my table, which would allow me to pay for my food through a payment gateway, and allowed me the option of adding gratuity, before allowing me to either enter my card details, or pay with my e-wallet.
The increased presence of payments integration with Independent Software Vendors (ISVs), and the growth of payment facilitators also offers options to merchants that just were not there previously. The payments industry reminds me of the hype around IOT, and how all devices would be interconnected and able to talk to each other. There are so many third parties involved now it’s tough for merchants to keep up and understand which of their third parties is responsible for what, and how they connect in to and support their environment. With the increased number of third parties comes the issue of implied trust – has due diligence been performed, are you aware of exactly what services the third party is providing and what role they play in your PCI DSS compliance and cyber security posture?
What are some of the threats businesses are facing when it comes to payments?
Jeremy King: Criminal hackers have made the absolute most out of this global crisis, exploiting security shortfalls and opportunities at a record pace. This surge in activity has also seen a change in how the criminals are attacking organizations.
Ransomware attacks have been front and center in the news recently due to high-profile breaches that have impacted businesses across the globe. These headline grabbing attacks have been part of a larger global increase in ransomware crime. With a dramatic increase in security challenges due to the disruptions caused in part by the COVID-19 pandemic, there has been a significant increase in ransomware attacks. According to the Harvard Business Review, in 2020 there was an estimated 150% increase in ransomware attacks and 2021 has seen this activity continue to spike upward1.
European Keynote Speaker at our 2021 Global Community Forum: Keren Elazari Cyber Security Author and Senior Researcher at the Tel Aviv University Cyber Research Centre, described Ransomware as “almost the perfect crime” highlighting how some criminals were able to completely encrypt an entire organizations data in a little over 5 hours following initial ingress to the company.
Keren also stated that criminals are then demanding payment to provide the decryption key, and in some instances as an extra “incentive” are threatening to release sensitive information such as development ideas if payment is not made.
With Cybersecurity Ventures estimating that Ransomware will cost $20 Billion in 2021, this wave of ransomware activity has left many businesses and governments around the world scrambling for answers as they struggle to stay a step ahead of organized cybercriminal gangs.
These cyber threats are very real and require immediate action to better protect against these ongoing criminal activities through Basic Cyber security hygiene such as highlighted in the recently published PCI SSC resource guide on the topic of ransomware.
What are some solutions and guidance for organizations who want to educate themselves about ways to better protect their payments during this challenging time?
Jeremy King: The last two years has seen companies across Europe first struggling to keep up with the changes necessary because of the pandemic, and now struggling to adapt to the changing way employees are wanting to work and consumers are wanting to shop.
As a leader in payment security, the PCI SSC has led the way developing content around many topics that we have heard about from our global stakeholders. It is estimated that 25-30% of the workforce will be working from home multiple days a week by the end of 2021. As working from home moves from necessity to the new normal then it is possible organizations and workers have initially, and continue to, overlook cybersecurity and best practices. To help bridge this knowledge gap, PCI SSC has created a low cost 45-minute training program to educate organizations and remote workers on the basics of working from home in a secure manner.
We also developed a “Back to Basics” series that was designed to remind organizations about good, fundamentally sound security practices that might have been forgotten during the pandemic. This 8-part series is based upon a set of payment protection resources for small merchants to help them in better protecting against payment data theft.
The PCI SSC has also worked to make the payment industry aware of looming threats with our industry threat bulletins. Earlier this year we covered the importance of cloud scoping and are currently developing a ransomware bulletin.
Looking to 2022, what big news will be happening in the world of payments?
James Vale: From an acquirer standpoint, the release of PCI DSS version 4.0 is going to be huge for us and our merchants. We have a responsibility to help educate our merchants, guide them through what the new standard means for them, and how it will impact their onsite or self-assessments moving forward.
Although introduced in October 2021, the increase in the contactless payments limit to £100 feels extremely significant. Barclaycard Payments pushed out updates to our terminal customers, to allow them to take advantage of this higher threshold, and given the precedent the COVID-19 pandemic set for fast, frictionless payments, this feels like a very significant step. It will be interesting to see what the £100 limit in the UK does to contactless payment usage, as now you’re able to fill your car up with fuel, or do a weekly family shop and have this covered, rather than have to manually insert your card and key in your PIN number.
Increased mobile payments, and the usage of digital wallets will also be areas to keep an eye on. More and more payment methods will become available, effectively removing the Primary Account Number (PAN) from the equation through token usage. With younger generations increasing using mobile commerce, expect to see this sector grow even more. Hand in glove with this will be the update of merchants using their own devices to take payments – don’t underestimate the appeal of being able to use your own mobile device to take payments, rather than having to rely on a terminal.
We also have the full enforcement in the UK, of Strong Customer Authentication (SCA) ahead in March 2022. This is going to potentially have a significant impact on a consumer’s ecommerce experience. Education around what is happening, and why, will be paramount to ensuring that the card holder understands the additional security validation requirements and is expecting them. There have already been some signs of impact in Europe on abandonment rates at the checkout stage due to SCA, so we have been working hard with our merchants to provide education, as well as introduce our Transact product to help facilitate a better consumer experience.
Jeremy King: 2022 will be a very impactful year for the PCI SSC as we roll out our Data Security Standard (DSS) v 4.0. The publication date is targeted for Q1 of 2022. This new version of the DSS has been the result of significant industry input on topics such as the modern payment lifecycle. The PCI SSC incorporating three (3) rounds of Request for Comment (RFC) opportunities from our Global Community . Our DSS RFC process generated nearly 6,300 comments from 213 unique stakeholder organizations from around the world. Each and every one of those comments or pieces of feedback were reviewed and considered as part of the PCI DSS development work.
2022 will also see the PCI SSC continue to focus on the important issues of software security, mobile payments, and cloud security. I would encourage payment stakeholders to subscribe to our blog and stay up to date with the latest PCI SSC news!
Where can people get more information about e-commerce payment security?
James Vale: Barclaycard has a dedicated webpage to help small merchants better understand their risks and responsibilities as well as provide helpful resources.
Jeremy King: One of the best innovations PCI SSC introduced very early in its existence was the creation of our Special Interest Group. This allowed our global community to nominate, vote, and participate in the generation of guidance documents covering a wide range of topics designed to help our community. One such document is the Best Practices for Securing E-Commerce. This excellent document provides an easy to understand guidance that as the saying goes “does exactly what it says on the tin”.
On top of that Education remains one of the main pillars for improving security, and we have a wide range of training programs from PCI SSC Awareness training, through PCI Professional to Internal Security Assessor training that can help train your staff to understand the PCI SSC standards and how these can help secure your business.
Finally our webpage has a wealth of information and guidance about payment security not just our standards and training options. We are currently undertaking a major update of our website so it will be even easier to find the information you need and are looking for.
Some links you would find useful are:
- COVID-19 Resources
- PCI SSC Blog - SMB Series
- PCI Secure SLC Program Expands Vendor Eligibility with Version 1.1
- Reduced Certification Requirements for PA-QSA Secure Software Assessor Candidates until 30 June 2021
- New Terminal Software Module Introduced in PCI Secure Software Standard Version 1.1
- Transition to Version 1.1 for New Secure SLC and Secure Software Submissions
- Part One: Conceptual Differences Between SSF and PA-DSS
- The Future of PCI SSC Mobile Standards
- Just published: SPoC Unsupported Operating Systems Annex
(1): Sharton, Brenda R. “Ransomware Attacks Are Spiking. Is Your Company Prepared?” Harvard Business Review, May 20, 2021. https://store.hbr.org/product/ransomware-attacks-are-spiking-is-your-company-prepared/H06DEB.