Protecting tenants’ payment data

By Simon Cook, Head of Compliance, allpay Ltd

We know from our own 2019 survey of almost 300 social renters (292) with housing provided via their local housing association or council, that 34.39% preferred to pay rent by Debit Card. The use of Debit Cards for rental payments has increased from 29.9% in 2018. This could be due to residents’ confidence in manual payments – paying when they know funds are available – compared with automatic payments which are taken regardless. In addition, failed Debit Card payments don’t attract bank charges, so this may also point to a reason for their increased popularity.

However, every month, yet another major retailer, tech company or public organisation suffers a data breach. In fact, any organisation taking card payments over the telephone, web or mobile app, including councils and housing associations are at risk. Fines imposed by the regulators for the loss of personal records can run into millions of pounds, but also tenants are put at risk of losing money to criminal’s intent on committing card-not-present crime.

Card-not-present crime is currently at an all-time high in the UK. This is because of several factors, including the fact that total card spending is rising, and new channels are opening for criminals as customers demand more contact channels. According to UK Finance Fraud the Facts 2019: fraud losses on UK-issued cards totalled £671 million in 2018 up 19% on the previous year.

Enterprises now recognise they have a duty of care to their customers, so what can be done practically to protect your tenants, their data and your reputation?

The Payment Card Industry Security Standards Council (PCI SSC) is a global authority that develops, improves and promotes understanding of the standards for payment security.   If you are a merchant that accepts or processes payment cards, then the Payment Card Industry Data Security Standard (PCI DSS) applies to you.

Firstly, it is essential to understand where your organisation is vulnerable and identify all locations where cardholder data is present. The moment card information enters the organisation you’re at risk from attack. Criminals look for the weak links which can include PCs, mobile devices and servers, recorded data storage, the transmission of data to partners or remote access connections. Rogue agents are also a potential threat either helping themselves to data or collecting it on behalf of criminal organisations.

The second stage is to fix and secure business processes. Thirdly, assessments and remediation must be documented. Compliance reports must be submitted to the acquiring bank and the card brands you do business with. Even if your software is PA-DSS certified, it does not absolve your organisation from overall PCI DSS compliance as it only applies to software and not organisations. You still need to make sure that the remainder of your contact centre is PCI DSS compliant.

When put like this, it is clear that correct in-house security is challenging to maintain. You will need to use secure systems, change system passwords, install patches from vendors, use trustworthy business partners, protect in-house access, regularly scan and fix vulnerabilities and protect against internet threats and that’s just for starters.

The best strategy for tackling the threat to cardholder data is to remove the threat from a contact centre environment by removing the data completely. If there is no data to steal within your environment, then criminals will not pose a risk to your organisation or tenants.

A new free guide has been launched to help organisations that handle payment cardholder information. Developed by contact centre and secure payment experts Eckoh, and available to the public sector through payment specialist allpay, the guide aims to provide essential information to help minimise card-not-present crime. It also introduces Eckoh CallGuard, a solution to allow all sensitive data to bypass your systems and people altogether.

It is clear that organisations taking card payments need to take rapid and aggressive action to prioritise making payments secure, and this guide can help those responsible for compliance make informed decisions.

For further information and to download the free guide, please visit: