Payments technology expert Jean-Philippe Niedergang of Castles Technology gives his view on how the certification should be updated to respond to today’s increased fraud level
By Jean-Philippe Niedergang, Group CCO and CEO of EMEA/LATAM of Castles Technology
Technology is advancing faster than we’ve ever seen before, with consumers willing and open to new forms of payment that are quicker and easier, saving time and money. However, hackers are exploiting emerging technologies such as blockchain and Artificial Intelligence to beat security barriers to make it harder to be found and stopped..
Interpol’s Secretary General Jürgen Stock recently described the uptick in financial fraud as an “epidemic” leading to individuals, often vulnerable people, and companies being defrauded on a massive and global scale.
As reports of financial fraud mount, with criminals stealing over £34.9 million in 2022 through contactless payment methods, payment terminal manufacturers need to go further to fortify their devices to ensure that they are trusted and secure. On top of money stolen from the customer, retailers lose millions in downtime through lost transactions due to hacking.
Retailers often ask my teams for reassurance, not only that their device is safe, but that there’s no chance of downtime whilst the security risk is being dealt with. As we’ve seen with the technology outages at major UK retailers such as Greggs, Sainsbury’s and Tesco's in March this year. In the case of Greggs, just a few hours of downtime not only lost customers, but its share value also slipped by £40 million.
In 2004, the PCI DSS certification was an important step for the standardisation of protection, both for consumers and for banks. However, a lot has changed in the last 20 years and in order to really combat and keep up with the latest fraud techniques, payment technology suppliers need to go beyond this. The goal posts have moved dramatically and so should the standards.
The sign that the situation has become critical, is the UK government’s new guidance, introduced in November 2024, enables banks and other payment services providers to delay payment processing for suspicious transactions for up to four days to repel potential fraud.
The UK’s new Payment Systems Regulator (PSR) law that means banks and other payment firms must reimburse defrauded customers to a maximum of 415,000 pounds. Although important to have this consumer protection in place, what is really crucial is stopping the fraud from happening in the first place.
So how could the PCI DSS certification be enhanced so that payment technology suppliers better protect retailers and their customers? From my experience there are three key steps; testing, detection and action.
Firstly testing; the best way to stop fraud is testing the payment system on a regular basis. The only way to know if a device is hackable is to hack it yourself. Employing ethical hacking to constantly look for any potential vulnerabilities and fix them immediately is the best way to stop fraud in its tracks.
The standard number of layers of protection and level of encryption needed to qualify for the PCI DSS certification should be increased in order to react against today’s increased threat intensity.
Detection; payment providers should offer an early identification service where they explain to customers how to recognise signs of an attempted breach and provide a way to report it before it becomes a threat.
Action; payment providers should have a remote way to respond and stop security vulnerabilities or attacks in order to minimise downtime and loss of transactions. As we saw with the downtime in the UK, caused by technology problems rather than hacking, when there is an issue, it can take up to a whole day to resolve. For a national retailer chain this could cost millions. It is not the role of UK businesses and banks to pay the price for fraud. It should instead be the responsibility of the payment technology providers to put the barriers in place to stop fraud from happening. Tightening the PCI DSS certification would be a step in the right direction to make sure that all payment technology providers are doing the maximum to beat fraud.
