August 19, 2016
Guest Perspective: For SMBs, Encryption and Tokenization Before EMV
By Joe Wysocki, Executive Director of E-Commerce, Heartland Payment Systems
In payment and technology circles, it is widely understood that EMV deployment in the United States is a major milestone in 2015. EMV – Europay, MasterCard and Visa – is a global standard for payment cards with embedded chip technology used for authenticating card-present transactions and the cardholder. U.S. card issuers are migrating to this technology primarily to combat counterfeit card fraud.
It is also a generally held view that EMV is not the panacea technology for all of the ways a merchant or business accepts payment. EMV will certainly help to validate that the consumer is the cardholder by way of Chip and PIN when presented at the sales counter, as well as ensure that the card was issued by a financial institution and is not counterfeit. However, chip technology does not extend itself to the merchant’s online or card-not-present (CNP) environments. Furthermore, EMV does not address other pressing security issues afflicting merchants—like point-of-sale (POS) intrusions. Unfortunately, solving these types of security issues were never a mandate of EMV. As per card brand specifications for implementation, EMV transactions, like magnetic stripe transactions, are sent in the clear for authorization, leaving them exposed and vulnerable to theft and monetization.
Given the increasing volume of major systems breaches—there were 761 breaches and 83,176,279 records exposed in 2014, which is up an incredible 27.5 percent over the number reported in 2013—doing nothing is no longer a viable or recommended payment strategy. However, one must be sensitive to the fact that for many U.S. merchants, navigating the technology solutions (encryption, tokenization and EMV), where to deploy them (online and in store) and understanding the total cost of compliance, are major obstacles to conversions. In these situations, we are advising our merchants of the benefits of deploying an encryption and tokenization service before deploying EMV.
First, EMV does not secure payments made at the merchant’s online e-commerce store. Our belief in defending the integrity of the payment network is of paramount importance. All parties to the transaction need to have confidence that the system is secure, timely and reliable. EMV will certainly instill greater confidence with in-store purchases.
But what about online purchases, which are rapidly approaching 10 percent of total U.S. retail sales?
EMV does not encrypt the card number from the chip to the POS. Therefore, sensitive cardholder account data can potentially be compromised by fraudsters and then utilized in non-EMV segments (i.e., online and other CNP channels). This concern is supported by CNP fraud losses in the United Kingdom post the EMV conversion in 2004, which ballooned from £150 million ($224 million) in 2004 to £213 million ($318 million) in 2006, an increase of more than 40 percent.
As a result of these dynamics, omnichannel merchants are faced with the additional burden of having to secure both online and offline payments. Some merchants are solving this problem with a bifurcated payments strategy. They are leveraging tokenization (the replacement of credit card numbers with tokens) or cardholder authentication services (Verified by Visa, MasterCard Secure code) in their online channel, while deploying EMV compliant terminals in the store.
Other merchants are deploying a more efficient and less complicated strategy, such as combining encryption and tokenization services for both the online and offline channels. With this model, the consumer payment information is encrypted and tokenized at the point of purchase (both online and in store) and passed to the processor, which then decrypts the payment token behind a secure firewall before sending the card information to the card brands. A merchant benefits from leveraging a single, lower cost technology across all payment channels and from the improved card data security from point of purchase throughout the transaction lifecycle.
Second, the average cost of a single EMV-capable POS terminal is between $300 and $500, so businesses owners are looking to justify the cost of EMV and cardholder security. Small and medium-size businesses struggle with the proposition that it is in their best interest to divert scarce resources from other critical business activities to mitigate the (potential) reputational and financial risks associated with a breach. Some merchants are addressing these risks with increasing amounts of insurance. Other merchants—rightly or wrongly—have rationalized their inaction by concluding that fraudsters are preoccupied with major merchants and processors and are not interested in their small businesses. These merchants also struggle with the return on investment calculation—especially in light of the sundry other demands being placed on their businesses (e.g. marketing and social media, improving productivity, fulfilling orders, tax and regulatory compliance and addressing competitor changes).
Their objections become even louder when they are multilane or multichannel retailers or they have historically experienced low rates of chargebacks or losses. In environments such as these, or where significant price elasticity exists, a viable alternative option is to deploy end-to-encryption (EEE) readers, which can only be used in store.
Hackers are increasingly targeting small to mid-sized businesses. And a breach can put a small or mid-sized merchant out of business with fines and assessments of more than $500,000. An EEE reader is a cost-effective first step toward protecting a merchant’s financial health and reputation.
Third, EMV support does not excuse small and medium-sized merchants from PCI Compliance. The card brands have announced that PCI reporting requirements will be waived for merchants who deploy terminals and PIN pads with EMV. However, this only applies to Level 1 and Level 2 merchants, which only include those processing more than one million transactions per card brand per year and 75 percent of their transactions using EMV. Merchants processing less than one million transactions per year are still required to comply with PCI reporting requirements, which exacerbates merchant difficulty with a business case.
All merchants are required to be PCI compliant, regardless of size and card volume. Given this dynamic, encryption and tokenization can simplify merchants’ validation efforts by reducing the number of systems’ components for which Payment Card Industry Data Security Standard (PCI DSS) requirements apply. It is one of the data protection and audit scope reduction methods recommended by PCI DSS. And, as previously stated, tokenization is a lower cost option that can be implemented across online and in store channels. EMV compliance is not currently mandated for merchants by the federal government or the card brands.
Beginning Oct. 1, 2015, merchants who do not have an EMV-capable terminal are liable for chargebacks and fraud. The liability shift will mean little to merchants with low rates of chargebacks and fraud. So, the lack of a mandate and business case will inevitably cause some merchants to delay EMV deployment. But based on the fact that 60 percent of small businesses will cease operations within six months of a breach, a simple solution to deploy encryption and tokenization services across all payment channels makes sense.
Joe Wysocki is executive director of e-commerce for Heartland Payment Systems, where he is responsible for executing the payment processor’s e-commerce product strategy. He has nearly two decades of payments industry experience, having successfully deployed Internet and card-not-present payment solutions for several major acquirers and payment brands.