Retailers, and their acquirers, need to step up efforts to secure payment transactions and reduce the risk of compromise for their customers’ data. 2014 was the year of the biggest merchant breaches of all time, but major, well-publicized, data breaches continue to cost retailers millions of dollars in penalties, damage to reputation, stock price and sales.
Why are we still seeing breaches of this type? Solutions that provide increased protection for cardholder data, while maintaining the highest levels of performance—up to millions of transactions per day—were defined and developed after the highly publicized breaches in 2009. The Payment Card Industry (PCI) released solution requirements for point-to-point encryption (P2PE) to assist merchants in protecting cardholder data and reducing the scope of their environment for PCI DSS assessments. However, these approaches still seem to be a concept rather than common practice.
What can reduce the risk of sensitive payment data breaches? Encrypting sensitive data at the point of swipe (or dip in the case of EMV cards) in the payment device and only decrypting it at the processor. Direct attacks on devices in the payment acceptance process have become increasingly common and highly sophisticated, but strongly encrypted cardholder data is useless to cyber criminals. To understand the approaches, and the benefits, of implementing sensitive data protection, let’s focus on two key areas: traditional payment acceptance terminals and mobile.
Electronic point of sale (POS) solution providers need to maximize security for payment card transactions without slowing performance. Their solutions need to encrypt cardholder data from the precise moment of acceptance on through to the point of processing, where transactions can be decrypted and sent to the payment networks. By deploying P2PE systems that sit between the POI (point of interaction – the point of swipe) device and the point of decryption at the processor are removed from the scope of most PCI DSS compliance requirements, since the sensitive data passing through them is encrypted.
It is important to note the difference between encrypting the data at the point of swipe device and encrypting the data in the POS system, more specifically the retail terminal. POI devices are PCI certified, thereby providing high-assurance cryptography and key management functionality. Retail terminals, on the other hand, are typically PC or tablet-based devices that typically only offer software-based encryption and do not have the security controls of PCI-certified devices.
At the point of processing, data decryption takes place using hardware security modules (HSMs) for secure key management, as required by PCI-P2PE requirements. HSMs perform secure key exchanges and, in most applications, secure key derivations that produce a unique key to protect each and every payment transaction. Taking advantage of these security capabilities, solution providers can build high-capacity and redundant secure systems so that multiple servers and multiple HSMs, deployed at multiple data centers, can combine seamlessly to service high transaction volumes with automated load balancing and failover.
Verifone—a provider of secure payment acceptance solutions—is one example of a P2PE solution provider that follows this approach with a distinctive combination of strong security and risk mitigation against malicious capture of cardholder data, while at the same time ensuring performance and availability for transactions – a win-win for retailers. The Verifone solution was specifically designed to enable retailers to implement best practices for data field encryption, providing security that helps reduce the scope of PCI-DSS audits.
Mobile Payment Acceptance
The mobile revolution enables affordable, on-the-go payment acceptance for smaller merchants. However, with the increasing availability of mobile payment acceptance options, small merchants and mobile businesses need to take a moment to consider the security of their customers’ payment data.
Mobile point-of-sale, or mPOS, uses a low-cost card reader (“dongle”) connected to a mobile phone or tablet to accept payments from both EMV and magnetic stripe payment cards. As with traditional POS, it is critical that the card reader encrypt the sensitive payment data it receives.
Payment services providers like Creditcall and ROYAL GATE faced the challenge of securing their mPOS solutions and used P2PE to protect the sensitive payment data from their mobile acceptance offerings. They integrated HSMs with their processing application as a critical component to manage keys and secure customer data following PCI P2PE solution requirements. The use of HSMs enables them to defend against external data extraction threats and to protect against compromise by a malicious insider.
Pay With Your Mobile
While several methods exist for enabling the use of mobile devices for making payments, host card emulation (HCE) has distinct market advantages. Because the security of the payment data and transaction is not dependent on hardware embedded in the phone, it has much broader applicability; any smartphone could use the HCE approach by loading payment credentials on the device and using it in place of a physical card.
HCE-based applications leverage the near field communications (NFC) controller on mobile devices to interact with a contactless POS terminal. However, since the application cannot rely on secure hardware embedded in the phone for protection of the payment credentials, alternative approaches for protecting sensitive data and transaction security have to be used. These approaches include tokenizing payment credential numbers as well as actively managing and rotating keys used for transaction authorization. This enables issuers to manage the risk introduced by having a less secure mobile device environment for payment credential data.
These alternative approaches rely on HSMs in the issuer environment to not only create the rotating keys but also to send them securely to the mobile device. In addition, the HSMs are also a critical part of the tokenization and transaction authorization process. The HCE infrastructure does not actually introduce any new security processes or procedures for retailers and processors; it just enables issuers to combine their existing strong security practices—comprising key generation/distribution, data encryption and message authentication—into a cohesive offering to enable payments with mobile devices.
Takeaways for Today’s Businesses
Payment card fraud is a global, multi-billion-dollar business. The promise of huge financial reward spurs cyber criminals to create increasingly sophisticated attack vectors, including attacks on payment devices themselves. But the reality is that retailers and their acquirers can reduce their risk and fear if the sensitive cardholder data in their possession is gibberish to hackers. This is why P2PE is so critical in the fight to reduce fraud.
Best practices for keeping sensitive card data safe today include deploying P2PE and using HSMs in the processing environment to protect keys, manage risk on HCE payment credentials and provide a secure and compliant trust environment. Retailers and their acquirers have only themselves to blame for devastating data breaches that expose sensitive card data if they fail to institute these safeguards.
About the author:
Jose Diaz has worked with the Thales group for over 35 years and is currently responsible for payment product strategy at Thales e-Security. He has worked with payment application providers in developing solutions and roadmaps for securing the payments ecosystem. During his tenure at Thales, Jose has worked in Product Development, Systems Design, Sales in Latin America and the Caribbean, as well as Business Development.