Mobile payments platform provider, paythru (www.paythru.com), has achieved Level 1 PCI DSS (Payment Card Industry Data Security Standards) 2.0 compliance – the top payment card industry standards for secure payments.
One key criteria of the latest standard is the use of tokenisation whereby Primary Account Numbers (PANs), such as credit card details are removed from the transaction process.
Clients that implement paythru solutions, which exceed PCI compliance, can now have greater confidence in reducing the risk of payment fraud not only in m-commerce, but also online and in-store shopping, said the company.
PCI DSS 2.0 provides requirements and guidelines on how to store, process or transmit card data electronically. Among the changes, merchants need to carry out a risk-based vulnerability assessment, while applications involved with credit card data such as card readers, online shopping baskets or mobile payments, must undergo an expensive, lengthy and complex code review to uncover any security issues.
Another requirement – tokenisation – adds an extra layer of security to this process. For merchants, it reduces the scope of the PCI DSS assessment, as it uses random numbers and letters instead of storing highly-sensitive Primary Account Numbers (PANs). Specifically, it minimises risks and decreases PCI audit costs, as tokens are only stored on one, secure external server rather than having multiple parts within the payment chain.
Russell Sheffield, director of innovation & development at paythru, said: “Despite the huge potential of m-commerce, where effectively any mobile phone can be used to conduct a huge variety of transactions, the risk of fraud increases if mobile payment systems are not implemented securely. We understood this challenge early on and were one of the first in our industry to achieve Level 1 PCI DSS, so our clients could reduce the risk of mobile payment fraud. Tokenisation has always been a central part of our security, which is why we have now achieved Level 1 PCI DSS 2.0. In fact, we have taken tokenisation one step further with technology that also verifies whether the person making the payment is the genuine cardholder.”
According to paythru, its solution allows merchants and their customers to complete transactions in a single text message or email through a tokenised password authentication system. Typically, a customer first signs-up to paythru directly through a merchant. At this stage, alongside payment details, the system captures information from their mobile phone. This means for all future transactions including those with other merchants, unique data related to this phone is gathered including purchasing behaviour. In turn, it is then possible to verify at the point of a transaction the customer is indeed who they say they are.
Subsequently, in addition to tokens being issued between paythru and the customer, an additional authentication token is issued to the merchant, further reducing the risk of payment fraud.
Sheffield said: “When commerce evolved from physical to e-commerce the payment industry experienced some significant pains in tackling fraudulent activity. As we move toward m-commerce, it is critical to ensure mobile payments are based on best practice codes that give businesses and their customers greater confidence in transactions conducted with mobile phones. The goal is to foster consumer trust by keeping one step ahead of the fraudsters, which is why we work hard to ensure our clients can actually deploy m-commerce to reduce the risk of payment fraud.”