Are your payments secure?

How to keep your customer’s utility payments safe

Doyou give your customers the option to pay their bills by credit or debit card? If so, you need to make sure that payments are easy, convenient, and most importantly… secure.

About 60% of Americans pay their bills electronically, and this number is growing all of the time.

In this article, join us as we look at how to keep your utility payment system secure, the standards you and your vendors need to keep in place, and the trade-off between usability and security.

Customers depend on you to keep their personal information safe

Data security is no longer something a ‘nice to have’… it is a ‘must have’.

If you take payments from customers, they are depending on you (and by extension, your vendors) to take care of their personal data and protect it from security breaches.

Seven out of ten people say that a company’s security and privacy practices are very important to preserving their trust. If a company betrays this trust, it may lead to customers walking away, as well as negative publicity and financial losses.

Could your utility company be at risk from hackers?

As we become more and more dependent on online data and cloud services, the risk of cyberattacks is increasing. Even worse, utility companies and government organizations are not immune.

Utility companies are often seen as easy targets for hackers for two reasons.

First, many people depend on them for their light, water, and heat needs. This may make utilities more willing to pay ransoms in order to ensure no disruption to service.

Second, utility companies hold a lot of personal data about their customers, including their name, address, social security number, and credit card information. This information can be used to commit fraud or be sold on the dark web.

The Reading Municipal Light Department admitted to being targeted by ransomware in early 2020, with The Lansing Board of Water and Light paying a $25,000 ransom to cybercriminals in 2016. And as we discussed in a previous article — even with the pandemic, cases of ransomware in 2020 have increased.

According to Statista, there were over 1,000 data breaches reported across the whole of the US in 2020, with over 155 million personal records exposed.

The importance of PCI DSS Level 1 compliance

Security accreditations can be extremely valuable if you take credit and debit card payments from the public. Not only can they help you standardize, test, and audit your and your vendors’ processes, but they provide reassurance to your customers too.

If you or your vendor takes secure utility payments, you or your vendor needs to be able to prove that you comply with the PCI DSS. Let’s take a look at this accreditation in more detail, and what compliance means.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was launched in 2004. It is an international standard that is the result of collaboration between major payment card brands, including Visa, Mastercard, and American Express. The standard is facilitated by the Payment Card Industry Security Standards Council (PCI SSC).

PCI DSS standards assessment helps demonstrate that your company offers secure card payments and manages stored data with best practices. Having this accreditation helps ensure more robust security practices and gives customers more confidence in the security of their credit or debit card payments.

To be eligible for PCI DSS, there are twelve requirements that successful organizations need to comply with. These are:

1. The installation and maintenance of a company firewall
2. The creation of original system passwords (i.e. not using the ones supplied by the vendor)
3. The protection of stored cardholder data
4. The encryption of stored cardholder data
5. The use of up-to-date anti-virus software
6. The development and maintenance of secure systems and applications
7. The restriction of cardholder data to staff on a ‘need to know’ basis
8. A unique ID for everyone who uses a computer in the organization
9. The restriction of physical access to cardholder data
10. The tracking and monitoring of access to cardholder data
11. The regular testing of security systems and processes
12. The maintenance of a policy dealing with information security processes

Both merchants and service providers need to be able to comply with PCI DSS. This means that if you work with any third party vendors that process, store or transmit cardholder data, they need to be compliant with the standard too.

Not being compliant with PCI DSS may mean that banks may refuse to process payments on your behalf. This can cause not only a significant inconvenience for you but also your customers.

The importance of Level 1 compliance

There are four different levels of PCI DSS compliance. The level your utility company or service provider needs to achieve depends on the number of transactions you handle each year. The lower the numerical level, the stricter the auditing process.

• Level 1: Companies that process over six million card transactions a year.
• Level 2: Companies that process one to six million transactions a year
• Level 3: Companies that process 20,000 to one million transactions a year
• Level 4: Companies that process fewer than 20,000 transactions a year

Level 1 compliance is required for organizations that handle over six million credit or debit card transactions each year. These card transactions can be over your website, over the phone, or in person.

Organizations that carry out fewer transactions but have previously experienced a data breach may have to adhere to Level 1 compliance too.

Level 1 organizations have to undergo an external audit once a year, carried out by a third-party PCI auditor. In addition to providing a Report on Compliance (ROC) to the Level 1 organization, the auditor will provide an Attestation of Compliance (AOC) which can be shared with the Level 1 organization’s customers.

Level 1 organizations must also have external vulnerability scans carried out every quarter by an approved third-party. These scans identify any issues in the Level 1 organization’s systems, allowing the opportunity to get them fixed.

Why is a third-party audit so essential in the PCI DSS process? Third-party audits provide an objective and impartial overview of payment processes, meaning that banks and customers can trust the final outcome. The other 3-levels of PCI Compliance (Levels 2 through 4) allow companies to self-assess their compliance such that third-party auditors do not have to validate that the prescribed PCI DSS controls are actually in place. Only Level 1 compliance indicates that a third-party has audited you or your vendor and ensured that they are handling payment data according to best practices.

Why is PCI DSS so important?

Achieving the PCI DSS standard shows that you or your vendor can look after your customer’s card data, ensuring that it doesn’t fall victim to cyberattacks or is taken away from your premises. According to Trustwave, over one in three cybersecurity threats involve a payment card.

PCI DSS not only protects your customers but also helps you or your vendor safeguard against data breaches, meaning that you save time, money, and resources by establishing time-tested best practices and processes. It also provides a detailed action plan to help with your or your vendor’s security requirements in the future.

When PCI DSS compliance is combined with other security accreditations like SOC2, utilities can trust that their vendors have taken a comprehensive approach to security and data protection.

Remember to balance security with the customer experience

In a previous article, we mentioned that the inventor of the personal identification number (PIN) was planning on making each number six digits long. His wife convinced him to reduce the number to four digits as six would have been too hard for her to remember.

There is a fine line to balance between security and user experience. For all of the protection it would provide, a six-digit PIN would be no use to anyone if people struggled to remember it!

In summary

Taking steps to protect your online payment system requires a lot of forward planning and preparation by you or your vendor. However, it is a worthwhile investment for the convenience that a payment system provides to your customers.

Only 37% of companies maintain full compliance with PCI DSS. By ensuring that your vendors tick all the boxes with a 3rd-party audit and PCI DSS Level 1 Compliance, you will ensure the best payment card security and boost your reputation with your customers and their satisfaction with you.

—

Sources

• https://www.aciworldwide.com/press-release/americans-pay-more-than-half-of-their-bills-online
• https://www.centrify.com/media/4737054/ponemon_data_breach_impact_study.pdf
• https://www.readingma.gov/home/news/rmld-targeted-by-ransomware
• https://www.lansingstatejournal.com/story/news/local/2016/11/08/bwl-paid-25000-ransom-after-cyberattack/93488502/
• https://exceleron.medium.com/why-municipals-need-better-security-measures-in-place-today-a07f47a38482
• https://www.keepnetlabs.com/top-11-ransomware-attacks-in-2020-2021/
• https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/
• https://www.utilitydive.com/news/utilities-face-growing-ransomware-threat-as-hackers-improve-strategy-execu/583818/
• https://www.trustwave.com/en-us/resources/library/documents/2019-trustwave-global-security-report/
• https://exceleron.medium.com/how-to-balance-security-needs-with-customer-experience-a566a70832ec
• https://uxdesign.cc/how-good-ux-leads-to-great-security-293327c83a90
• https://www.ubisecure.com/customer-iam/cyber-security-vs-user-experience/
• https://www.itgovernance.eu/blog/en/a-guide-to-the-4-pci-dss-compliance-levels
• https://www.itgovernance.eu/en-ie/what-is-the-pci-dss-ie
• https://www.itgovernance.co.uk/pci-audit-and-roc