6 min read

Working from home? No, you can't keep card details on a Post-IT!

Featured Image

Our data privacy and security laws were drafted with traditional offices and computers in mind, but even before the ink was dry on the GDPR documents, the data landscape was changing.

More firms and organisations are outsourcing their live data resources, archive storage, analytics and even network security - muddying responsibility in the event of breaches.

Then before we'd finished writing the disclaimers into our new IT contracts,
the lockdown transformed the workforce into a diaspora conducting business in home offices, bedrooms and laybys on a diversity of unvetted equipment. According to cybersecurity firm SentryBay [1], 42% of all remote workers were targeted by phishing emails in the first weeks of lockdown.

At this point in time, few companies have had time to consider the full
extent of their new compliance risk exposures, let alone retrained their
workforce, standardised remote equipment, tightened procedures, or redrafted policies to clarify where responsibilities (and penalties) come to rest. Shredder company GoShred estimate that 1/5th of remote workers have printed confidential documents at home [2]. Even more have jotted sensitive details - including credit card numbers - on notepads or Post-It notes. Who else has access to those notes and where do they end up?

Better protection for customer payments

Few things are more sensitive, or invite bigger penalties, than customer
payment details. Card fraud is rife and remote working adds new risks.
Stolen data is used to commit several kinds of fraud, some direct, others
indirect. For example, card details are easily used to make unauthorised
purchases but with a few more details you can take control of an entire
account or set up new accounts in someone else's name. Personal data is also used by criminals to make other scams convincing to new victims -
potentially framing someone in the process.

Public awareness is growing, and that is good but it creates another
headache for legitimate businesses - mistrust. Suspicion changes
expectations and reduces the public's willingness to use online services or
complete transactions. That damages firms of all sizes. Even businesses that are household names lose custom when clients are reluctant to place trust in their data protection policies. For lesser-known small to medium-sized companies, it can be fatal. As any business that has tracked visitors
through their website knows, many customers just baulk at old-fashioned
checkouts and abandon the goods in their shopping basket.

Although COVID-19 has suddenly reduced the circulation of cash, not all
firms equipped to complete transactions digitally have benefited. The
problem also affects person-to-person sales and telephone payment systems, especially when payment details have to be entrusted to strangers. Ironically, this means that firms with a human face could be suffering most, with customers more inclined to trust systems that provide anonymity. Consumers are now beginning to expect the same kind of security whether they pay online, by phone or in bricks and mortar shops.

Compliance is ever more important

The other risk to businesses is falling foul of increasingly tight data
protection rules. Neither you nor a customer needs to be the victim of an
actual crime in order for the way in which you have handled their data to
constitute an offence. Any lapse in your security can lead to bad publicity
at best and prosecution with punitive penalties at worst.

In the past, obliging customers to read their card details over the phone,
or reveal them in a public place or to a stranger, has been commonplace.
Today, these practices pose a major risk and have long been contrary to
Payment Card Industry Data Security Standards (PCI-DSS) and the terms of trader's merchant accounts. When remote workers solicit such details over insecure lines or in public places and scribble them onto Post-Its, you have drifted far over the red line.

The Information Commissioner's Office (ICO) are taking a lenient (or at
least "pragmatic") line on GDPR transgressions in the wake of the pandemic - because they appreciate that remote working and online trading has thrust many companies (and sole traders) into territory for which they were unprepared [3]. That leniency will not last. On the contrary, the huge growth in digital transactions, online business and remote working is likely to precipitate a new round of privacy law and data protection rulings. Recent fines and court decisions against Google and Facebook demonstrate that new climate.

Banks and insurance companies swallow a substantial portion of the losses inflicted by fraud so have good reason to lobby for routine audits of
commercial security practices. In any event, market forces are likely to
eliminate a large number of traders who do not improve the security of their payment systems. Customers are already beginning to look for safer
alternatives and businesses that support them.

New solutions

Some security improvements on the near horizon require considerable
investment in new hardware (such as biometric payment cards) but others require little or no new tech, can be implemented immediately and are readily affordable to SMEs and sole traders.

Multi-factor-authentication (MFA) or two-step-verification are simple
improvements on the traditional username/password combination used to access computers, networks and accounts. These strategies range from simply challenging the user for additional information to Cloud services that send a single-use PIN number to their mobile phone. MFA is a great deal less troublesome to both employees and customers than insisting on long complex passwords no one can remember without writing them down (which defeats the point).

Payment transactions are even more sensitive and must proceed with minimum inconvenience to the customer. The new phone payment solution from Paytia simply interposes a trustworthy automated payment handler between the payer
and payee. It works as a standalone solution or can be integrated with the
payment processors already used by most SME's, such as Worldpay, Stripe and Paypal.

There are similar solutions for online and mobile transactions (Secure
Virtual Terminal and Keyphone) and both take only minutes to set up. By
adopting these solutions now, you can reduce fraud, reassure existing
customers, convert more visitors and comply with current and future industry standards.

Remote working and online shopping are both terrific ideas and consequently they are here to stay - pandemic or no pandemic - the future has simply come early. We need to catch up quickly and there are many things we need to review such as employment law and tax liabilities.

But nothing is more urgent than updating and securing our payment processes.

Resources:

[1]
https://www.sentrybay.com/news/security-expert-predicts-at-least-30-40-incre
ase-in-cyber-attacks-during-coronavirus


[2] See
https://www.securitymagazine.com/articles/94495-remote-workers-are-printing-
confidential-documents-at-home
 or read their report here
https://goshreduk.tumblr.com/post/641368333191675904/working-from-home-the-h
idden-risks-of-printing


[3] See the ICO statement here:
https://ico.org.uk/media/about-the-ico/policies-and-procedures/2617613/ico-r
egulatory-approach-during-coronavirus.pdf