The payment processing environment is constantly evolving as hackers find more methods to steal data and the payment industry continues to block these attempts. It’s a complicated topic, so here’s a visual: Most people carry as little cash as possible, and one reason for this is to reduce the risk of being targets for robbery. Plastic cards are popular because they allow people to reduce the cash they carry. This minimizes people’s exposure to loss from robbery, because what you don’t have can’t be stolen.
Now, some people may carry emergency cash in a hidden compartment of a wallet. And people commonly write a note to tell a spouse or family member where this money is. Believe it or not, some people even place this note in the wallet where the cash is hidden.
This may seem funny, but it translates easily to the payment environment. The data from the cards used for payment is like the merchant’s “cash” in the wallet. Encryption or tokenization is like the hiding of the “emergency cash” and the note to a spouse is like the encryption or tokenization key.
So, the fact that a merchant has employed an encryption or tokenization process does not necessarily mean that the data is protected or safe. Some factors to consider include:
- Where is the decryption performed (where is the note about where the cash is hidden)?
- How is it performed?
- How is the data stored and where?
- Who has access?
- Who performs the key management?
These are all important questions, along with many others. The PCI DSS requirements are designed to address these possible weaknesses.
In the recent past, payment cards were swiped by a simple piece of hardware and the card holder data was not encrypted, until it was placed into storage. In some environments, card holder data was gathered to a central switch – a corporate server with a database and stored for a length of time. Today, this storage is a huge target for hackers as they gain a lot of data from one point. In addition, EMV will also have a large impact in the use of central switches.
POS applications used to be payment applications. That means, they actually performed the card swipe, handled the cardholder data, and performed the storage of such data.
Another method, called tokenization, replaces the card holder account data with a code that refers to that data. The strength of this method lies in how the tokenization is performed and where the de-tokenization is able to be performed.
P2PE – Point to Point Encryption
The P2PE method encrypts the card holder data at some point in the authorization and storage process to another point. Risk/exposure depends on where these points are, where the decryption can occur (the key location), and the access to these points. Also to be considered is software versus hardware controlled. This method recently became popular because the processors (banks) either would not or could not decrypt the card data, so it had to be sent to them in the clear (unencrypted). The retailer encrypted the data as soon as possible, after the swipe, and decrypted it just before sending to the processor. This required secure connections to the processor.
E2EE – End to End Encryption
Currently, many processors are providing methods of sending encrypted card holder data to them. For true end-to-end encryption, the data must be encrypted at the point of swipe and stay encrypted all the way to the processor, with no way to perform the decryption in between. To do this, new pin pad devices are much smarter. They can perform the encryption on swipe using the processor’s encryption method, handle all of the transmission and authorization, and send only the masked card data to the POS application. In some cases, the third party applications control the pin pad device and are the certified payment applications. In other cases, the pin pad vendor provides the payment application that actually resides in the pin pad device.
Using these processes, there are several advantages:
- The store register communicates directly with the gateway or processor, reducing the hops (as compared to a central switch type solution).
- There is typically only one card holder data available at any one register, at any one time.
- There is no storage (with the exception of times where the register is offline). Instead of the retailer requiring storage and reporting of payment transactions, the processor is now sharing that data as needed with the retailer, again reducing the exposure and risk for both parties.
Also in this scenario, the POS application is no longer required to be a payment application. It does not have access to sensitive cardholder data and therefore does not need to comply with PA DSS requirements. The third party application has sole access and control of the payment process and is therefore the PA DSS compliant application. This means that the POS application can be updated or modified without requiring PA DSS review. Also, the payment application can be updated and not impact the POS application.
EMV (Europay, Mastercard, Visa), also known as chip and pin, has been in use around the world, except for the United States. It was designed to reduce the fraud caused by counterfeit cards. The industry has varying viewpoints of the risk reduction that this actually provides.
Merchants were encouraged to complete conversion to this standard by October 1, 2015 through the use of incentives. One incentive is this: On that date, liability may shift from the acquirer to the merchant. Today, retailer liability only includes the charge backs that merchants are familiar with. Merchant’s liability, as of the liability shift date, will also include any fraudulent or counterfeit cards that the merchant accepts if it has not properly converted its systems to use the chip and pin process.
Processors are still performing the certifications required for EMV applications on the various hardware devices, so a huge number of payment projects are expected over the next year. The EMV certifications are extremely expensive and can take up to six months. The third party companies, including some processor directed applications, are already getting certified on many major platforms. It is expected that most retailers will choose one of the third party vendors so that the retailer will only need to update its POS application to certify with the EMV ready third party process, greatly shortening the project. Typically a new pin pad device will be required.
Training of sales people and customers will be important. In this process, the card gets inserted into the pin pad device during the sale, stays inserted during the transaction, and the chip determines how the authorization occurs and how the validation is performed. The chip data can actually be updated during the process. The card issuer (and the card brand) determines whether a pin or signature is required. Cashiers will need to ensure that customers actually remove their card at the end of the transaction.
Payment brands and processors are continually working on updates that will shorten the authorization time. Be sure to ask about future expectations.
Many new methods of processing payments via mobile devices have come to the marketplace. Most of these seem trendy, but may be desirable. A careful review of these processes should be performed to evaluate the security, longevity and processing ability of each.
Steps for Exposure Reduction
Remember, what you don’t have can’t be stolen. So retailers should start a project now to upgrade their payment systems to limit the valuable data that can be exposed to risk. Start early, as resources are expected to be limited due to the EMV process. Here are some steps to reduce a retailer’s exposure to risk:
- Diagram the current payment process and map the data based upon its format. You could use red lines for unencrypted data, blue for encrypted data that has a merchant created key, and green for data that no one but the processor can decrypt. Follow all of the data flow, considering the registers, store back office, corporate data flow, and flow to the processor. Be sure not to miss any area that can touch the sensitive payment data. Include how offline transactions are performed.
- Determine the business requirements for the company, with buy-in from Accounting, Operations, Loss Prevention, and even Legal departments. Review the types of tenders to be covered, such as credit card brands, debit cards, gift cards, and so forth. Don’t forget to plan for EMV and mobile payments. Review how offline transactions and returns are to be handled.
- Contact the processor for information on how they are working to improve their process. Find out if it has E2EE processes and what hardware it supports.
- Contact the POS provider and review the options that they can provide, what vendors they are already working with, and how they plan to provide support for E2EE.
- Once all the information that can be attained is gathered, plan out process changes, step by step. Create a new diagram of the cardholder data flow and have each vendor review and confirm what is obtainable. Choose the hardware (especially the payment device) based upon what each vendor chosen has already been certified with. For this hardware, review if the device is ready for EMV, mobile payment processes (NFC), and how soon the device may be retired. Determine if the provider performs firmware updates to keep up with industry changes, or if newer models will be required. Applications to centrally manage the devices may also be important to consider.
- Devise a plan to eliminate the sensitive cardholder data from the existing environment. Set deadlines for purging this data properly and a point in time to validate that all data was removed.
- Stay up to date – Because hackers are getting smarter every day, the processors and merchants must stay on top of new requirements and new security risks and they must be willing to adapt as necessary to stay secure. Following all of the PCI rules and requirements will certainly reduce the risk of a data breach, however, there is no guarantee that even a 100% compliant merchant will be totally safe from hackers/data breach.
As processes continue to change to stay ahead of hackers and those who would try to steal data from customers, some of the potential benefits for merchants are:
- Reduce fraud
- Card brand incentives (be sure to check)
- Potential interchange rate reduction
- Use the payment device for marketing efforts
- Reduce maintenance costs and cost of PCI audits
- Keep up with the competition
- Increased customer confidence