Future-Proofing Payments With Point-to-Point-Encryption
By Ralf Gladis, co-founder and CEO, Computop
Any retailer that takes payments at the point-of-sale (POS) in a brick-and-mortar store will most likely recognize the term EMV, which stands for Europay, MasterCard and Visa. It is a global standard for credit cards with chips and card capable POS terminals providing checkout devices with a secure payment scheme.
EMV is currently the standard that is used, industry wide, for authenticating and processing credit and debit card transactions. So if it is a standard, then that’s cool. Right? Not necessarily. It might be the right strategy for now; however, if you’re currently investing in POS technology and you’re hoping it will last a good way into the future, you’d do well to think again.
EMV provides security around forged cards, but it doesn’t provide secure processing. An EMV compliant POS device typically uses the EMV chip on cards to authenticate the cardholder through his PIN, and it collects the required card data from the chip. However, when payment data is forwarded to the payment processor the message includes plain card data. Therefore, a secure PCI compliant infrastructure at the merchant is required (e.g., encrypted data bases, log servers, firewall procedures, etc.) in order to provide safety and avoid a data breach. However, there is still a risk of hackers intruding a merchant’s infrastructure in order to steal card data.
This is why Visa and MasterCard introduced the Point-to-Point-Encryption (P2PE) standard for secure payment processing and, as you’d expect, the payment industry is now migrating towards it. P2PE standards were released in April 2012, and P2PE is already mandatory in certain market sectors including mPOS. It is just a matter of time until it becomes a compliance requirement.
Only the P2PE standard provides true secure processing because it is designed to allow secure payment processing through insecure networks. Although it is a new security standard, it is already very popular in the U.K., and Germany, because it lifts the PCI burden from a merchant and therefore reduces costs and efforts significantly. In summary, what P2PE does is build a secure channel around EMV payment transactions, just like a VPN does.
A very sophisticated hardware-based encryption method (DUKPT) ensures that the payment data is encrypted on the device. It is extremely secure because each transaction gets a new password. This encryption provides safety while the transaction is travelling to the payment processor even through insecure systems because only the payment processor is able to decrypt the P2PE message that includes the EMV payment data. But then, instead of providing real card data, a payment processor could just feed back tokens and masked card numbers to the merchant. With P2PE merchants never have to store or forward real card data again which reduces costs and efforts for PCI to nearly zero.
Another advantage of P2PE is the level of security that protects a merchant’s payment processes. A P2PE compliant solution will not only manage the encryption of data but also will track all payments hardware across the retail estate throughout its life cycle. Should payment problems occur P2PE means that they are much easier to pinpoint and manage.
Retailers who are re-thinking your POS investment over the next year should choose wisely. Given that U.S. merchants already have to make big investments in EMV compliant POS infrastructure, my recommendation is to invest in P2PE ready or P2PE compliant hardware. P2PE POS devices are already available from a variety of payment device manufacturers.
Adopting P2PE from the outset will reduce PCI cost and efforts immediately, and it will give merchants significant advantage when P2PE compliance becomes mandatory. Preparation shouldn’t be complex, and the first step I’d recommend a merchant to take is simply checking with their payment services provider to see if they are working towards delivering their services in a P2PE compliant way. It is a simple question and one that could start the process of future proofing their payment strategy by cutting the cost and effort involved with compliance.