Never has security been more important than it is now, particularly in the wake of several high-profile data breaches in the retail sector. There are many different approaches to securing credit card data; however, often the best security isn’t about choosing one method over another, but rather using a combination of complementary methods to secure card-present and card-not-present (CNP) transactions and data at rest. Let’s explore three of these approaches.
What is EMV?
EMV is a chip-based security standard — also known as chip and PIN or chip and signature — that all but eliminates instances of skimming and counterfeiting, and protects against lost or stolen card fraud. When it comes to protecting against fraud on CNP transactions, such as in ecommerce or mobile transactions, EMV is promoting the use of physical readers and has evolved to support the Card Authentication Program (CAP) from Mastercard, and Dynamic Passcode Authentication (DPA) from Visa. But it doesn’t protect against the bulk theft of credit card numbers, because it’s designed to protect the transaction, not data held on a computer.
Use of Tokenization is Growing
Whereas EMV has been around for the last 20 years in some regions, tokenization is relatively new in the payment industry. According to our recent PCI Compliance Report, only 12% of organizations that we surveyed in the study were using it. Its adoption, however, is increasing; particularly in the mobile payment space, where it’s predicted there will be 490 million mobile payment users by 2016. Tokenization helps combat fraud — across payment types —and reduces the scope of PCI compliance. It does this by replacing sensitive data, like a primary account number (PAN), with a generated string of numbers and characters (also known as a token).
There is no reversible mathematical relationship to the original data, so hackers can never decrypt the token. The key strength of tokenization is that it limits the amount of card data held and transmitted within the payment chain. As a result, the sensitive data can’t be stolen. When it comes to mobile payments, tokenization is particularly beneficial, because it is being built into digital wallets and used as standard. However, there are possible weaknesses — mostly regarding cost. Implementation could be expensive as new terminals may be needed, as well as integration with legacy POS systems and other applications. These costs can be offset by the potentials savings as a result of reducing the scope of PCI.
Encryption Still has a Role to Play
Traditionally data is exposed at various points within the payment chain as it moves from device to application. But the recently launched point-to-point encryption (P2PE) overcomes this because it uses a one-time encryption key to encrypt data in the terminal as soon as a card is inserted or tapped, to avoid card data being transmitted in the clear to the processor. From the moment a payment card enters the payment chain, data is encrypted and remains that way throughout the process.
At no point does the merchant have the means to decrypt the data as the encryption key is held by a third-party provider. P2PE therefore protects against criminals stealing sensitive data in transit in both card-present and card-not-present transactions. It effectively reduces the scope of PCI compliance and is a cost-effective security method. Adoption of P2PE has been slow — perhaps due to the cost involved in updating POS systems and associated technologies, and partly because there is limited availability of PCI-accredited solutions and vendors.
Our 2015 PCI Compliance report indicates that only 4% of organizations in the dataset were using P2PE. But, P2PE does have its own challenges, for example regarding the encryption methods and management of the encryption keys. It also doesn’t address the storage of customer data in other business systems outside of the payment chain. While used on its own it may not be able to check all the security boxes, it can be strengthened when used with other security methods, such as tokenization.
Cover all Bases
Used in isolation these payment security methods don’t cover all areas of card security. Tokenization addresses perhaps the broadest range of concerns and will have an increasing role to play, particularly in light of the growth in mobile payments. It can also be combined with other approaches like P2PE and EMV. But the key thing to remember is that the most comprehensive way to keep card and sensitive data safe is by layering your security and not relying on one method above all others.
Read the April 2015 Forrester Research, Inc. report, “Prioritize Tokenization to Secure the Payment Chain,” for more information on EMV and complementary approaches to securing payments.