Thought Leadership
8 minutes

Despite cash remaining the most popular payment method worldwide, digital transactions show no sign of slowing down. Their growth alone between 2016 and 2017 reached a new high of 10.1%, according to a 2018 Federal Reserve Payment Study.1 It’s believed that consumers will generate upwards of 726 billion digital payments by 2020.2

As the internet and its many uses continues to explode across our lives, disrupting many of the ways we used to do business, fraudsters too have come up with a dizzying number of ways to part people from their money. Data breaches are in the news too often these days, affecting people the world over. It’s not just Equifax; the largest data breach was Yahoo from 2013 to 2014 and affected over 3 billion users.3

Regulated standards are one helpful way for companies to know if they are doing everything they can to prevent fraud. Where the medical and education industries have HIPAA and FERPA to regulate privacy and security, the financial industry has the Payment Card Industry Data Security Standard (PCI DSS).

The Background

Prepaid debit cards are on the rise; as of 2016, users spent about $100 billion4 with the easy-to-use payment method. More Americans are turning to prepaid cards as a method of  curtailing spending and staying out of debt. Prepaid cards are essentially debit cards without a bank account, which protects the spender from overdraft fees; they’re also unlike credit cards since they only have what the spender puts on them and don’t involve interest rates.

One of Softjourn’s clients uses these cards to help their customers monitor employee spending by providing a transparent, efficient, and scalable solution for expense control. Of course, as with any company that operates in the digital marketplace, our client is heavily invested in securing their customer’s information. Not only for their own reputation, but to protect their clients against identity theft and fraud that can plague victims for years.

They turned to us for help when it came to abiding by PCI DSS standards, one of the most effective ways to prevent fraud before it happens.

The Need

Unlike HIPAA and FERPA, PCI DSS isn’t a government mandate. It was conceived by the five major credit card brands in 2004 in an attempt to create a cohesive understanding about fraud prevention for all merchants. The PCI Security Standards Council (PCI SSC), a separate group made up of members from the five brands to monitor the standards, have since updated the DSS as new technology and needs arise.

The PCI DSS covers six goals and 12 associated requirements5 that all merchants must abide by; the guidelines are broadly written to allow for a number of different implementations depending on a business’s software security lifecycle. The PCI SSC provides a further breakdown and an additional 200 sub-requirements to provide suggestions on achieving each of the goals.

Merchants found in noncompliance after experiencing a security breach receive fines from $5,000 to $10,000 a month6 until they can demonstrate compliance. This is in addition to other damages merchants must deal with when responding to a data breach, including lawsuits, inherent financial losses, and a blow to their customer base. Moreover, maintaining PCI DSS compliance is clearly one of the best ways a merchant can prevent fraud—a 2010 Verizon study found that 79%7 of breached retailers were noncompliant.

The Solution

Softjourn implemented a multi-step process when upgrading the security of our client’s software. What should be noted first is our client seeking out a third-party vendor for their software upgrade; a tenet of DSS is ensuring that all team members involved in designing and implementing a security solution be aware of the standards related to their particular role. Softjourn’s technical expertise and acumen made them a clear choice of business partner in ensuring the security and privacy of our client’s customers.

Next, we reviewed the current security build and identified weaknesses and potential vulnerabilities. This allowed us to evaluate solutions and provide our client with expert advice when deciding how they wanted to proceed. Once decisions were made, we developed a high-level roadmap that our client reviewed and approved before any work started. This roadmap would ensure that all involved in the project were aware of the changes, and that no part of the upgrade process would delay and potentially create issues that could not only increase the cost for our client, but could also possibly create new vulnerabilities in the future.

Once the security schema was in place and upgrades tested to ensure they met the desired outcome (for example, identify vulnerabilities and prevent attacks, etc.), we implemented new metrics by which to test the security upgrades and remain proactive in anticipating potential security issues before they happened. This included integrating a log analytics tool to review attempted logins and identify potential attempted hacks.

We also implemented both fingerprint and facial recognition biometrics for our client’s mobile application on Android and iOS as an additional method of authentication to help prevent unauthorized individuals from gaining access to critical assets.

Conclusion

Keeping your company’s systems up to date is one way to ensure you’re protecting your customers from identity theft and fraud. Maintaining a consistent and ongoing security process that also involves educating employees and remaining vigilant regarding new fraud techniques and new technologies will help create a well-rounded fraud prevention process that can help your company now and in the future.

Softjourn is more than happy to provide assistance when it comes to adhering to PCI DSS standards. Reach out today to discuss your needs and how we can help!

4. Allison, C. (2019, March 12). The rise of prepaid cards in America.
5. Payment Card Industry: Software Security Framework. (2019, January). Secure Software Lifecycle (Secure SLC) Requirements and Assessment Procedures.
6. PCI Compliance Guide Frequently Asked Questions (n.d.). PCI DSS FAQs.