Payment protection: Why HA's have a duty of care to tenants

Housing Associations accepting card payments, have a duty of care to protect clients’ sensitive payment data.  Fines imposed by the regulators for the loss of personal records can run into millions of pounds, but also tenants are put at risk of losing money to criminals, intent on committing card-not-present crime.  
Any organisation taking card payments over the telephone, web or mobile app is at risk.  Fraudsters target the weakest link in the payment chain in order to steal data and this type of crime is growing rapidly.  According to UK Finance, card-not-present fraud was valued at £506.4m in 2018, which represented 76% of all card fraud last year.  The National Audit Office predict that this is set to rise to £618m by 2020.

Payment protection

Some major, house-hold names such as British Airways (£183m fine) and Marriot Hotels (£99m fine) have been subject to significant data breaches in the past 12 months.  Even for these well-resourced organisations, protecting sensitive data properly, presents significant challenges.  Therefore, for Housing Associations often lacking resources or specialist expertise in this evolving field, the risks could be even greater.
We know from our own 2019 survey of almost 300 social renters (292) with housing provided via their local housing association or council, that just over a third (34.39%) preferred to pay rent by Debit Card (up from 29.9% in 2018).  This could be due to residents' confidence in manual payments – paying when they know funds are available - compared with automatic payments which are taken regardless.  With tenants’ desire to pay by card growing and the risk of card-not-present crime continually increasing, practically, what can Housing Associations do to protect sensitive data?
The Payment Card Industry Security Standards Council (PCI SSC) is a global authority that develops, improves and promotes understanding of the standards for payment security.   If you are a merchant that accepts or processes payment cards, then the Payment Card Industry Data Security Standard (PCI DSS) applies to you.  
The moment card information enters the organisation you’re at risk from attack, so understanding where your organisation is vulnerable and identifying all locations where cardholder data is present is step number one.   

Payment protection from hackers

Hackers can attack systems directly or use malware, phishing scams or social attacks and their methods are becoming increasingly sophisticated.  Criminals target PCs, mobile devices and servers, recorded data storage, the transmission of data to partners or remote access connections. It is a painful truth that rogue agents or groups of agents are also a potential threat, either helping themselves to data or collecting it on behalf of criminal organisations.
The second step is to fix and secure business processes.  Thirdly, assessments and remediation must be documented.  Compliance reports must be submitted to the acquiring bank and the card brands you do business with.  Even if your software is PA-DSS certified, it does not absolve your organisation from overall PCI DSS compliance as it only applies to software and not organisations. You still need to make sure that the remainder of your contact centre is PCI DSS compliant.
When detailed in this way, it is evident to see that maintaining correct in-house security is a major ongoing challenge.  Therefore, the best strategy for tackling the threat to cardholder data is actually to remove it from a contact centre environment completely.  If there is no data to steal within your environment, then criminals will not pose a risk to your organisation or tenants.
A new free guide has been launched to help organisations that handle payment cardholder information.  Developed by contact centre and secure payment experts Eckoh and available to the public sector through payment specialist allpay, the guide provides helpful tips and essential information to help minimise the risk of card-not-present crime.  It also introduces Eckoh CallGuard, a cost-effective solution to allow all sensitive data to bypass your systems and people altogether.

For further information and to download the free guide, please visit the website