Executive Insight: Winning the War for Payment Card Data
By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation
Last year, the United States experienced what has been dubbed “the year of the data breach.” Now, we’re nearing the end of 2015, and data breaches continue to plague merchants. Some are saying that hackers’ tactics are changing and that remote-access attacks are a new frontier in the fight for payment card data. But, these kinds of attacks aren’t new – what’s changed is the hackers’ strategy.
Around the world, hackers are taking to dark corners of the Web to share tactics and strengthen their attacks. Criminals are joining hacking groups, and some are being formed, backed, and even trained by criminal organizations and nation-states. Others are using this data to fund terrorism. The result is that hacking is becoming much more organized and sophisticated than it once was. There is a war for payment card data, and more needs to be done to help merchants keep their customers’ payment information away from hackers. It requires going beyond what’s needed for Payment Card Industry (PCI) compliance and more than just adding EMV chip cards into the mix.
To win the war for payment card data, merchants need to shield sensitive cardholder information at all three milestones in the life of a transaction: when it’s transmitted, processed, and stored. A trifecta of existing technologies – EMV, point-to-point encryption (P2PE), and tokenization – give merchants the “weapons” they need to win the war. Let’s take a deeper look at each of the components of the payment security trifecta.
The much-discussed liability shift associated with EMV was put into effect in October by the various card brands. Supporters of the EMV migration claim that merchants will be protected from the next wave of data breaches in exchange for their investment in new payment terminals and other related EMV migration expenses. However, this isn’t true. EMV does not secure payment card data when it is in transit or held in merchant systems or networks, so it won’t prevent data breaches from occurring. Also, since EMV chips specifically work with card-present payment terminals, the technology won’t protect against fraud in card-not-present environments, such as e-commerce, the case of keyed-in information, or in subsequent card usage like incremental authorizations used in hotels.
While EMV alone is not a complete security solution for merchants, it is an essential component of the payment security trifecta because it helps to identify the cardholder’s card as authentic, in an effort to prevent merchants from processing card-present payments with counterfeit, lost, or stolen payment cards. When used with an EMV-capable point-of-sale (POS) terminal, EMV chip cards go through an authentication protocol that verifies either the card or the cardholder as well, if the cardholder’s card was issued with a PIN. Although not foolproof, this process helps stop criminals from committing card-present counterfeit, lost, or stolen fraud better than payment cards with a traditional magnetic stripe.
The problem is that when EMV cards are processed, payment card information is still exposed in plain text as it flows out of the secure payment device to be authorized. This leaves consumer payment information vulnerable to attacks from hackers – unless the merchant implements P2PE.
Point-to-Point Encryption (P2PE)
P2PE encrypts payment card data from the moment a credit or debit card is first processed until it is authorized. In card-present environments, including traditional and mobile points of sale, P2PE protects the merchant’s communication channels where EMV does not: between the payment device and the processing network.
When a customer’s payment information is keyed, swiped, inserted, or tapped (such as when using mobile payment solutions like Apple Pay™, Samsung Pay™, or Android Pay™), P2PE immediately encrypts the sensitive data at the point it interacts with a secure payment terminal. This ensures that the sensitive data is secured before it is transmitted to the merchant’s POS system, protecting consumers’ payment information – and the merchant’s environment – from a variety of attacks, including malware infections in the POS terminal or system. In the best implementations of these solutions, the merchant has no control over the decryption of the cardholder data.
By using P2PE, a merchant can limit their exposure to hackers who are constantly searching for weaknesses in the merchant’s system. Also, the merchant’s PCI scope will be dramatically reduced. In other words, when merchants don’t have cardholder data in their possession, there is nothing for hackers to steal because They Can’t Steal What You Don’t Have®.
Tokenization resolves the vulnerability issues associated with the long-term storage of payment card data from the moment of authorization and throughout the lifecycle of a payment card’s usage. This assures protection for subsequent and incremental payment card usage in environments such as e-commerce, online reservations, and recurring billing or usage scenarios. When done correctly, tokenization replaces payment card data with a random, alphanumeric value – a token – that is meaningless to all but a select few. That way, if tokens were to ever get into the wrong hands, there would be no way for hackers to use them. Importantly, for tokens to be truly meaningless to hackers, they must be dynamic (with a new randomized token for each transaction processed), they cannot have a mathematical or one-to-one relationship with a card, and they must not be able to be decrypted. Tokenization is not encryption.
Tokenization ensures that merchants no longer have to rely on the use and storage of cardholder data to carry out the daily business functions that once relied on this sensitive information. A well-designed tokenization solution enables merchants to safely access their customers’ transaction data for future use, including returns, card-on-file, recurring billing, incremental authorizations, and other uses without exposing their environment to the vulnerability of storing that sensitive information.
Creating a Strong Security Posture
Implementing the payment security trifecta of EMV, P2PE, and tokenization provides merchants with the peace of mind that they have taken the best steps toward protecting their customers – and their business – from fraudsters who attempt using fake, lost, or stolen cards in card-present environments and from data thieves who are intent on stealing sensitive payment information in bulk. Therefore, merchants migrating to EMV today should ensure these three solutions are in use together so that transactions are secured at the card’s point of interaction with a payment device. When a merchant then entrusts that sensitive data to a dedicated payment solutions provider, not only is their environment protected, but the burden of protecting cardholder data is also alleviated. At the end of the day, we want merchants to be able to focus on what matters most to their business: their services, products, and customers.