Banking/FinanceCyber SecurityFeatured News

The best practices for managing payment security


Geoff Forsyth, CISO of PCI Pal reveals the best practices financial organisations should employ to effectively manage their data security.

The 2021 Cyber Security Breaches Survey published by the Department for Digital, Culture, Media and Sport found that four in ten businesses (39%) and a quarter of charities (26%) reported having a cybersecurity breach or attack in the last 12 months.  

For those organisations operating contact centres and remote working, one thing is clear: criminals are determined to obtain your personal and financial data. Everyone must therefore stay one step ahead and carefully consider the actions needed to be taken to ensure all activity relating to data theft is unsuccessful – particularly attacks on customer’s sensitive payment card information.

All organisations that take card payments from customers are responsible for safeguarding their sensitive data; this is not just simply to protect the customer from fraud and theft, but also to protect the reputation of the organisation and to preserve brand loyalty. Of course, those that process customers’ debit or credit card payments are in scope to comply with the PCI DSS (Payment Card Industry Data Security Standard), regardless of the size of the organisation or the volume of transactions processed.

Although the PCI DSS exists to ensure financial information collected and held by businesses is sufficiently secured from hackers, it also works hand-in-hand with wider security strategies; a good step towards ensuring compliance with GDPR is to pursue PCI DSS compliance as this helps to provide a good initial foundation upon which to move forward.

The only way an organisation can guarantee its customers’ payment details and personal data are sufficiently secured is by executing an end-to-end security plan to keep the company’s network and data it stores secure.

So what does end-to-end data security in a financial environment look like?

Strong encryption

Strong encryption means any data that is transmitted is essentially scrambled using the latest industry standard secure keys that no other party holds. Since it can only be decrypted using that key, even if the data leaks outside of the organisation – or someone is able to intercept the transmission of the data (such as when it is making its way to the server) – if it does fall into the wrong hands it is useless to the criminal.

Businesses that have failed to properly implement and deploy a good encryption strategy before a breach have found themselves dragged through the media for failing to protect customers’ data and have been hit with major fines as a result. 

All data in an organisation should be encrypted whether it is stored or being transmitted across a network. Only then can criminals be prevented from using the data even if they are able to access it.


Like encryption, tokenisation prevents anyone without authority from gaining access to the information. It means any payment-related information, such as card numbers, are replaced with a string of dummy digits at the merchant’s end so at no point does the merchant have access to the actual payment data. Only payment processors can ‘de-tokenise’ the information as it passes to them for authorisation.

Staff education

A major way to secure an organisation against threats is to make sure staff are fully trained and aware of best security practices and that they understand the importance of the systems and processes that are in place to prevent data from falling into the wrong hands.

By educating staff about the PCI DSS and how the business achieves compliance will hopefully mean they too are onboard and can ensure all of their practices adhere; this will help the business achieve compliance all year round.


One surprising place where businesses commonly fail in their security strategy is password protection. A password alone is rarely secure enough to protect a network against a data breach, with even simple attacks guessing thousands of passwords per second or testing randomised characters to break into a network.

The most assured way to secure devices in the network is to enable two factor authentication (2FA) which adds more layers for hackers to get through in order to break into a network.

Testing and auditing systems

Organisations must have a detailed risk management process and action plan in place to ensure that they are ready to deal with any of the complex issues that may befall them. At the very core of this sits the auditing and testing of infrastructure and systems. This is critical.

Failure to conduct formalised audits will greatly affect the organisation in several ways, including the lack of preparedness and the potential of significant fines or loss of revenue resulting from reputational damage from a data breach or hack.

PCI compliance and descoping

Although many of the previously mentioned security solutions will protect payment data, there’s a whole lot more at risk in the contact centre. For example, call recordings, which might be legally required to meet financial rules, may contain card data and will still be available for hackers to steal if they are able to break into the network.

However, using a solution where the customer provides their card data via their telephone keypad producing audio ‘beeps’ (Dual Tone Multi Frequency, DTMF) that are collected and suppressed prior to entering the contact centre means that no one in the organisation will ever hear payment information. While the call is still recorded for compliance purposes, the card data itself is not recorded – this means there is no payment data to steal even if a malicious perpetrator manages to break into the network.

What is clear is that only addressing one or two security processes and barriers in a company is not enough to protect the entire organisation from a security breach.

Authenticating transactions

Ensuring that a customer is who they say they are is paramount. Contactless and mobile systems have biometrics to call upon which can add a much needed extra layer of security to transactions, helping to avoid chargebacks, fees or potentially time consuming fraud investigations.

Many payment processing companies offer fraud prevention systems that can be easily integrated into the payment flow so it is important to consider these options when choosing the payment gateway provider for an organisation.

Keep systems updated and scan for malware

Hackers find new ways to attack computer networks all the time and the industry responds by constantly publishing security patches and updates. It is important that organisations ensure their networks, servers, laptops and workstations are regularly updated and running the latest and most secure code. 

Additionally, systems must be regularly scanned for malware – items such as spyware, trojans and viruses. Attacks and infection attempts occur daily via email phishing and through fake websites so it is vital that regularly updated anti-malware program are enabled.

Physical security of data

An often overlooked aspect of securing payments is that of physical security. Whilst it feels so low tech to speak about locked server rooms and workstation security, as well as ensuring appropriate levels of security are maintained on printers, it is a fact of life that must be accepted.

Thieves can easily grab laptops, printers or storage devices such as USB sticks and hard drives, but with the help of physical locks, disk locks, CCTV and a dose of common sense, the compromise of data security can be avoided – and the eye-watering fines that accompany it.

Ultimately, the implications of failing and allowing malicious actors to gain access to an organisation’s network is too high a risk to take. Implementing a watertight end-to-end data security strategy is the answer to securing sensitive data. Implementing a robust strategy that covers all grounds is vital for today’s modern businesses.

To find out more information, visit:

This article was originally published in the July edition of Security Journal UK. To get your FREE digital copy, click here.