Hackers have become much more organized and sophisticated than they once were. These aren’t the teenagers of yesteryear in their mom’s basement trying to break into Myspace accounts. They’re sophisticated tech experts and they’re trading the latest tactics for stealing payment card data all around the globe. Hacking groups are being formed, backed, and trained by criminal organizations and nation-states. And, some of them are using this data to fund organized crime and possibly even terrorism. There is a coordinated war for payment card data, and more needs to be done to help merchants keep their customers’ payment information away from hackers. It involves going beyond what’s required for Payment Card Industry (PCI) compliance and doing much more than just adding EMV chip cards into the mix.
The fact is that merchants need to layer security tools to ensure that sensitive cardholder data (CHD) is protected throughout the entire transaction process: when it’s transmitted, processed, and stored. Three existing technologies – EMV, point-to-point encryption (P2PE), and tokenization – give merchants the “weapons” they need to win this fight. Let’s take a deeper look at each of the components of this payment security trifecta.
Authenticating the Card: EMV
The highly publicized U.S. EMV liability shift began in October 2015 for most merchants. Supporters of the EMV migration – namely the card-issuing banks that are poised to save the most money due to the realigning of fraud liability – have claimed that it will protect merchants and consumers from falling victim to data breaches. This isn’t true. While EMV chip cards are more advanced than magnetic stripe cards, they aren’t a cure-all for payment data security, and they won’t protect merchants or consumers against breaches.
EMV is a card authentication method – not a true security solution – but it still plays a critical role in the payment security trifecta. That’s because it helps to prevent merchants from processing card-present payments with counterfeit, lost, or stolen credit and debit cards. When an EMV chip card is used at a card-present point-of-sale (POS) terminal (like a retail store or a restaurant), the microchip generates a dynamic code that authenticates the card and, if the consumer’s card was issued with a PIN, the cardholder as well. A break in this coding sequence flags the card as a fake, and the card is then turned off.
This is better than the magnetic stripe, which is very easy to copy and can be cheaply counterfeited. However, the chip itself isn’t completely foolproof. For example, some criminals are making fake chips or breaking the chips so they can be offered a “swipe fallback,” which allows them to swipe a (counterfeit) magnetic stripe because their chip gives a misread. EMV also doesn’t yet protect against fraud in card-not-present environments, such as e-commerce, the case of keyed-in payment information, or subsequent card usage like incremental authorizations in hotels or subscription billing at a gym.
Here’s another a major issue: the EMV specifications allow payment card information to be exposed in plain text as it flows out of the payment device for authorization, when it’s in transit, and if it’s held in a merchant’s systems or networks. This leaves consumers’ payment information vulnerable to attacks from hackers, for example if RAM-scraping malware were to be used to attack a merchant’s payment systems – unless the merchant also implements P2PE and tokenization.
Secure Storage: Tokenization
There are risks inherent in the long-term storage of CHD, yet business needs – such as returns, recurring charges, etc. – often require this data to be stored. Tokenization resolves these vulnerability issues, assuring protection for subsequent and incremental payment card usage in card-present environments, e-commerce, online reservations, and recurring billing scenarios. When done correctly, tokenization replaces payment card data with a random, unique, alphanumeric value – a token – that has no mathematical or one-to-one relationship to an actual card number. That way, if tokens were to ever get into the wrong hands, there would be no way for hackers to use them.
A well-designed tokenization solution enables merchants to safely access their customers’ transaction data for future use, including returns, card-on-file, and chargeback defense without the risk of actually storing that sensitive information.
Immediate Encryption: P2PE
Hackers are persistent in identifying and exploiting weaknesses in a merchant’s payment system. P2PE encrypts CHD from the moment a card is dipped, swiped, tapped, or keyed at a payment terminal so that the card data never actually enters the POS terminal. The role that P2PE plays in the trifecta is to remove the CHD from the merchant’s payment processing environment entirely, leaving nothing behind that is of any use to hackers and rendering fruitless the criminals’ attempts at stealing CHD from the point of interaction.
In card-present environments, including traditional and mobile points of sale, P2PE protects the merchant’s communication channels where tokenization cannot: between the payment device and the processing network. P2PE adds an additional layer of security and protects consumers’ payment information – and the merchant’s payment processing environment – from a variety of attacks, including malware infections in the POS terminal or system. Also, the scope of the merchant’s Payment Card Industry Data Security Standard (PCI DSS) assessments will be dramatically reduced because their payment systems won’t ever handle sensitive CHD.
In the best implementations of P2PE, the merchant doesn’t have control over the decryption of CHD for processing and instead outsources this functionality to a trusted, vigilant, PCI-compliant third party. This alleviates the merchant’s burden of protecting sensitive CHD – so they can better focus on their business – and it places it under the watchful eye of those whose sole business is to securely handle payment data.
Layered Security: Merchants’ “Secret Weapon” to Improve Data Security
EMV is a welcome advancement in card and cardholder authentication, protecting merchants from certain types of payment card fraud; however, it is not the silver bullet that some organizations once made it out to be. It does nothing to prevent the theft of card data. It just makes it more difficult for thieves to profit from cards already stolen. Merchants need to layer EMV with P2PE and tokenization to assure that they aren’t burdened with storing, processing or transmitting payment card data, and to make sure that their customers’ payment information is protected. In this war for payment card data, merchants implementing this payment security trifecta will be able to put up the strongest fight and foil even the most sophisticated attacks from hackers. After all, they can’t steal what you don’t have.
About the author:
J.D. Oder II serves as Shift4’s CTO and SVP of Research and Development. J.D. is a Certified Network Engineer with more than 15 years of experience. He leads Shift4’s systems operations and development efforts as well as the security and compliance teams. J.D. is the architect of the DOLLARS ON THE NET® payment gateway solution. He is credited with introducing tokenization to the industry in 2005 and was also an early adopter/member of the PCI Security Standards Council.