August 19, 2016
The Payment Security Trifecta: Three Technologies for True Security
By J.D. Oder II, CTO and SVP of Research and Development, Shift4 Corporation
With so many data breaches in the last two years, it would seem that there’s a new inevitability to add to the oft-cited list of death and taxes. To keep their customers’ data and their reputations safe, merchants must stay informed about the newest security solutions and about cybercriminals’ most recent tactics.
Hackers are communicating via dark Web networks to strategize and trade information. Criminals are joining hacking groups, and some are being formed, backed, and even trained by criminal organizations and nation-states. Others are using this data to fund terrorism. The result is that hacking is becoming much more organized and sophisticated than it once was. There is a war for payment card data, and more needs to be done to help merchants keep their customers’ payment information away from hackers. It requires going beyond what’s needed for Payment Card Industry (PCI) compliance and more than just adding EMV chip cards into the mix.
There are three milestones in the life of a transaction where it is imperative that merchants shield sensitive cardholder information: when it’s transmitted, processed, and stored. Three existing technologies give merchants the “weapons” they need to win this fight: EMV, point-to-point encryption (P2PE), and tokenization. Let’s take a deeper look at each of the components of this payment security trifecta.
The various card brands established the EMV liability shift in October. Supporters of the EMV migration have claimed that merchants will be protected from the next wave of data breaches in exchange for their investment in new payment terminals and other related EMV migration expenses. However, this isn’t true. EMV does not secure payment card data when it is in transit or held in merchant systems or networks, so it won’t prevent data breaches from occurring. Also, since EMV chips specifically work with card-present payment terminals, the technology won’t protect against fraud in card-not-present environments, such as e-commerce, the case of keyed-in information or in subsequent card usage like incremental authorizations used in hotels.
Though EMV is not a comprehensive, standalone solution, it plays a critical role as one aspect of the payment security trifecta because it helps to identify cards as authentic. This helps to prevent merchants from processing card-present payments with counterfeit, lost, or stolen payment cards. EMV chip cards go through an authentication protocol that verifies the card, or if the cardholder’s card was issued with a PIN, the cardholder as well. Although not foolproof, this process helps stop criminals from committing card-present fraud better than payment cards with a traditional magnetic stripe.
The reason EMV cannot stand on its own as a security method is because when EMV cards are processed, payment card information is still exposed in plain text as it flows out of the secure payment device to be authorized. This leaves consumers’ payment information vulnerable to attacks from hackers—unless the merchant implements P2PE.
Point-to-Point Encryption (P2PE)
From the moment a credit or debit card first interacts with a payment device until it is authorized, P2PE encrypts payment card data at every step. In card-present environments, including traditional and mobile points of sale, P2PE protects a merchant’s communication channels where EMV does not: between the payment device and the processing network.
As soon as payment information is entered by any method, including the use of mobile payments, P2PE immediately encrypts the sensitive data at the point of interaction with a secure payment terminal. This ensures that the sensitive data is secured before it is transmitted to the merchant’s point-of-sale (POS) system, protecting consumers’ payment information and the merchant’s environment from a variety of attacks, including malware infections in the POS terminal or system. In the best implementations of these solutions, the merchant does not handle the decryption of the cardholder data for processing.
Hackers are constantly searching for weaknesses in a merchant’s system, but by using P2PE, merchants can limit their exposure. Also, the scope of the merchant’s PCI DSS assessments will be dramatically reduced. In other words, when merchants don’t have cardholder data in their possession, there is nothing for hackers to steal.
The long-term storage of payment card data can create vulnerability issues, but tokenization resolves this by replacing sensitive cardholder data with a meaningless value from the moment of authorization and beyond. This assures protection for subsequent and incremental payment card usage in environments such as e-commerce, online reservations, and recurring billing or usage scenarios. When done correctly, tokenization replaces payment card data with a random, alphanumeric value called a token that is meaningless to all but a select few. That way, if tokens were to ever get into the wrong hands, there would be no way for hackers to use them. Importantly, for tokens to be truly meaningless to hackers, they must be dynamic (with a new randomized token for each transaction processed), they cannot have a mathematical or one-to-one relationship with a card, and they must not be able to be unencrypted. Tokenization is not
Using this tool means that merchants don’t have to put their hope in the use and storage of cardholder data to carry out the daily business functions that once required this sensitive information. A well-designed tokenization solution enables merchants to safely access their customers’ transaction data for future use, including returns, card-on-file, recurring billing, incremental authorizations, and other uses without exposing their environment to the vulnerability of storing that sensitive information.
Total Transaction Security
Data thieves are everywhere, looking to steal payment information in bulk or use lost, stolen, or fake cards. To foil their attacks, merchants can implement the one-two-three punch of EMV, P2PE and tokenization to assure that transactions are secured along the entire payment journey. This will enable merchants and their customers to breathe easier and do business with greater confidence.
J.D. Oder II is CTO and SVP of Research and Development for Shift4. J.D. is a Certified Network Engineer with more than 15 years of experience. He leads Shift4’s systems operations and development efforts as well as the security and compliance teams. Shift4, the world’s largest independent payment gateway, provides powerful, Web-based applications that allow merchants to turn their customers’ credit, check, debit, and gift card transactions into dollars in the bank quickly, accurately, and securely.