What’s the Big Deal with Point-to-Point Encryption?

EMV, P2PE—What’s the difference and why should merchants implement Point-to-Point Encryption (P2PE) in their transaction environment that is PCI compliant?

EMV chip technology (named after Europay, MasterCard, and VISA—the pioneers in chip technology implementation) only protects against counterfeit card use but does nothing to safeguard vulnerable cardholder data from being captured in transit by hackers to use for online fraud and identity theft.

To combat hackers, the best weapon is to implement P2PE across the entire transaction lifecycle. P2PE expands the level of security by adhering to strict standards regulated by PCI. These include:

  • Using PCI Data Security Standard (PCI DSS)-validated payment devices
  • Loading devices with software applications and encryption keys in limited-access environments
  • Encrypting card data at the point of interaction (POI) (i.e. when the card is swiped or inserted)
  • Transmitting that data securely over the network where it is later decrypted and passed for authorization

These standards ensure a strict chain of custody before, during, and after possession by the merchant. By mitigating these data breach risk points, merchants can improve data security and make business operations more efficient.

For more information on how P2PE benefits both the merchant and your sales opportunities with the merchant, download our P2PE white paper today.

 

Setting Up Your EMV Payment Solution

Business owners, card issuers and payment processors throughout the United States are now in the process of switching over to EMV. Despite plenty of time to prepare, there are ongoing reports that the transition process has been very rocky and US merchants as a whole are not prepared. Many businesses are being pressured into a quick EMV solution that doesn’t take into consideration their specific need.

EMV technology was designed to authenticate cards at card-present payment terminals. It helps to prevent the use of fraudulent cards in stores better than traditional magnetic stripe cards. However, EMV is not 100% secure nor was it designed as a security method to protect the merchant’s payment environment. This means that a well-constructed EMV solution requires the use of layered security to protect sensitive cardholder data, including:

P2PE.All card data should be encrypted from the time it is keyed, swiped, tapped or inserted. Merchants should use a device that encrypts at the point a payment terminal interacts with a card or mobile wallet so that no payment information is ever in the clear and at risk of being stolen by a savvy hacker. This shrinks the merchant’s cardholder data environment to the secure device level, reducing much of the merchant’s breach profile and their PCI DSS scope along with it—something that EMV alone can’t do.

Tokenization. All card data should be removed from the merchant environment and placed under the protection of an organization that considers the security of their merchant customers’ payment processing its primary job. To do this, merchants must adopt a security- or storage-based tokenization solution, which replaces sensitive cardholder data with non-decryptable information that is meaningless to all but a select few. This differs from emerging “payment token” solutions, such as those offered by mobile wallets, by providing security for merchant systems, not just individual consumers.

EMV. EMV has merit for authenticating card-present transactions. Still, merchants should implement EMV in a strategic fashion, making sure to add the layered security of P2PE and tokenization to protect their customers’ payment information from data thieves by removing that sensitive data from the merchant environment entirely.

Though big undertakings such as the transition to EMV can be confusing, merchants must not be pressured into a quick solution that doesn’t meet their specific needs. Instead, they should take the time necessary to implement EMV as a step in the path to true security, not as a security solution in and of itself.

By layering EMV with the security of P2PE and tokenization, merchants can better authenticate cards used at card-present payment terminals, with the added bonus of securing that card data throughout the transaction process and within their systems and networks. This will ensure that their environment – and their customers’ payment information – is protected against the attacks of hackers.


POSDATA is your trusted source in the transition to EMV. We advise organizations of all sizes on payment processes and products. To learn more, Contact Us.

Credit Card Issuers Not Prepared for EMV

In a September 30 press release, Mastercard says that only 40% of their issued cards have chips for EMV.

While this press release is intended to put a positive light on the transition to cards featuring EMV chip technology, the reality is that there is a long way to go to get consumer credit cards transitioned over. With October 1 as the official liability shift deadline, there are some very concerning signs in regards to the slow adoption of EMV technology in the United States:

  1. Last minute rule changes by the Debit Network Association has delayed development efforts and caused solution providers to have to update systems already deployed.
  2. No one can accept Contactless EMV until 4/16
  3. Only 27% of merchants will be able to accept EMV cards this October. Various sources quote 40% by year end, but this is a lofty goal considering that retailers are very unlikely to roll out new devices and software during the holiday period.

 

Here’s the full press release:

Purchase, NY, September 30, 2015 — With just hours before the October 1 liability shift, new data from MasterCard reveals that 40 percent of all U.S. MasterCard-branded consumer credit cards feature EMV chip technology. According to a Payments Security Task Force forecast announced earlier today, the number of chip cards in the U.S. will grow to 60 percent by the end of this year, expanding to 98 percent by the end of 2017. “The data proves that the shift to chip in the U.S. is a reality. We’re incredibly encouraged by the tremendous progress across the industry, knowing that consumers are ultimately the ones who will win,” said Chris McWilton, president, North America Markets, MasterCard. Not only are consumers beginning to carry chip cards in their wallets, but they are also able to use them at more and more merchants around the country. The company reported tens of millions of chip transactions in September alone at the more than 350,000 national merchant locations accepting the new cards.

One-quarter (26 percent) of national and regional merchants – stores and restaurants with multiple locations – have started to accept chip cards.

“Consumers are ready for the new chip cards. In fact, 75 percent of cardholders agree the increased security of the chip cards greatly reduces the ability for thieves to copy or use their cards for unauthorized purchases,” said McWilton.

About MasterCard

MasterCard (NYSE: MA), www.mastercard.com, is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. MasterCard’s products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone.

Read more

Additional information

EMV Liability Shift Ebook

Most people do not understand the upcoming EMV Liability shift. With the deadline coming October 1, 2015, many merchants and service providers are ill-prepared for the potential consequences of this shift. Fortunately Ingenico has put together an important eBook outlining the EMV Liability shift, with a focus on:

  • What EMV is and the benefits it provides
  • What the EMV liability shift actually means
  • What the risks of not migrating to EMV are
  • How to initiate the EMV migration process for your business
  • How the EMV liability shift will impact specific stakeholders in different fraud scenarios

You can download the eBook at Ingenico’s site here.

EMV Updates: Summer 2015

As I interact with our dealer and reseller partners or sit in on sales calls with end users, questions consistently come up regarding EMV. Here are the latest EMV updates as of Summer 2015.

Do I still need to use P2P Encryption since I am moving to accepting EMV cards?

The answer to this one is definitely yes. A large portion of transactions will still have to be approved “on line”, meaning that account number information will still be being sent up to the host for authorization. Without P2P encryption to protect it, that account data is still at risk as it travels through the network. Allen Friedman, Director of Payment Solutions at Ingenico says “Linking EMV and encryption creates and effective shield against card fraud and data breeches. Both are necessary and they complement each other”.

A recent NY Times/ National Small Business Association survey of 675 small businesses found that …

  • 50 percent had been victims of hackers looking for Credit Card data.
  • 68 percent of those hacked, were hacked more than once.
  • Small businesses are being hacked at the same rate as large tier retailers, possibly higher as many incidents go undetected or unreported.
  • Average attack on a small business costs over $20, 000.

A Point to Point Encryption scheme in conjunction with EMV substantially reduces the possibility of account info being

What does the coming Liability Shift really mean to the retailer?

After the October 2015 shift, liability falls to the party using the least secure technology. AMEX, Master Card and Discover will hold the merchant liable for any counterfeit or stolen cards accepted if the merchant is using a Non EMV device.Visa for now exclude stolen cards and will hold the card Issuer liable.

To put this in perspective …

  • 25 percent of all transactions in the world take place in the US.
  • 50 percent of all credit card fraud occurs in the US.
  • Credit Card fraud has increased to represent 10 cents per every $100 transacted and is still growing.
  • 10 billion dollars in Credit Card fraud is expected in 2015. Up from 8.5 billion last year.

All this fraud is going to find it’s way to the least secure merchants as EMV is implemented.

A few of the payment industry’s experts have also weighed in on liability and security…

  • “Once the larger merchants adopt EMV, fraudsters will pick on the smaller guys unless or until they have migrated” – First Data Merchant Services
  • “While many small merchants will say they are currently not expecting a lot of chargebacks from counterfeit cards, they should know that they will become a target once the liability shift occurs – unless EMV compliance has been achieved” – Vantiv
  • “At some point, consumers will strongly embrace EMV as the secure way to pay as seen in foreign visitors who are hesitant shop in US stores that do not have EMV” – First Data Merchant Services

I also often hear asked what the return on investment or the ROI is for spending all this time and money. The simple answer is that there is not a simple answer. True, the liability shift is not a mandate and EMV is not mandatory to be PCI compliant. Also true is that many merchants do not see much fraud given the nature of their business or that the number of chargebacks a merchant is seeing today can be used as an indicator of future fraud activity. The fact that there seems to be little incentive in the form of lower processing fees is no help either, but think of it this way:

  • Security standards are changing more rapidly and the crooks are getting smarter. Those old PCI 1 and 2 devices that you have may not be secure enough to fend off today’s attacks on their own. Keeping up with changing technology is part of the ”cost of doing business”. It’s not just EMV that’s bringing on these changes.
  • Data breaches are increasing rapidly in the US and EMV paired with a P2P encryption solution and PCI mandated networking standards will make you more hacker proof and they will focus on less difficult targets. Bear in mind that the liability for data breaches is already something that the merchant is liable for already and a breach could stop a merchant’s ability to accept credit or debit payments.
  • Once EMV is up and running, stealing card data is less attractive and counterfeit cards will be more difficult to use. This benefits all merchants in the long run.

Something else to consider is the risk level going forward as certain merchants are more exposed to fraud by the nature of their business and how prepared they are. Is the merchant…

  • Dealing in a vertical that sells goods that often get returned for cash, sold on the street or sells gift cards?
  • Located in a transient area such as tourist destination, near a major highway or high traffic area?
  • One that has a large number of employees that handle credit cards and also has high employee turnover?

If so, it makes good sense to be as protected as possible.


I hope that this information helps as you speak to your customers about their upgrade plans. If you have any questions, please contact me (Bryan Jackson at this email or 972-514-4236) or your PosData Business Development Manager. We are more than happy to help.

Replace Pre-PCI Devices Now

As 2014 slips away, there is an important piece of information that you will want to share with some of your customers.  December 31, 2014 is the last day that Pre-PCI devices can be used by customers that have them installed.  Please share this information with those that have Pre-PCI devices still installed in their stores.  We know that POSDATA sold many of these devices to resellers a number of years ago.  If you or your customers have not already replaced them, please make sure that they are aware of this PCI mandate.  If you have any questions regarding this subject, please contact your POSDATA Salesperson or call Senior Sales Support Engineer Bryan Jackson at 972-514-4236,  Bryan.Jackson@posdata.com.

PIN Entry Devices to Expire

As security standards continue to evolve, some PIN entry devices are approaching their expiration. The PCI Security Standards Council and Visa recently announced that devices approved in the first version of the PCI PIN program (way back in 2004!) and not subsequently approved for higher levels of security are now at their expiration point. Stakeholders with Version 1.x devices should actively plan for the replacement of those devices, as they are much more vulnerable to compromise and may lead to theft of your cardholder information. See the full expiration announcement here.

How do you know whether your device is reaching expiration? Different manufacturers use different ways to identify them. Look for markings indicating the PCI PTS PED approval version, and if you are having trouble reach out to our experts.

To contact us:

POSDATA, a Business Unit of Control Solutions Inc.

5775 Soundview Drive, Suite 101E
Gig Harbor, WA  98335

800-852-3282
sales@posdata.com

End to End Encryption and Tokenization

E2EE and Tokenization are often positioned as an either/or solution, but this is not the case. Each technology has its place in payment security. This article defines both solutions and their significant characteristics.

E2EE ensures the security of sensitive cardholder information from the moment the card is swiped all the way to when it is processed by a gateway or processor and passed on to a bank for authorization.

This technology ensures that at the point of card acceptance, i.e. within the Magnetic Stripe Reader (MSR) itself, the card data is securely encrypted at the Point of Sale (POS). MSR’s use Triple DES Encryption and DUKPT key management technology to encrypt and transmit cardholder data securely over the network. Once within a Secure PCI DSS certified payment network, it is de-crypted and passed for authorization.

Historically, encryption has been the standard for securing data and is used in virtually every transaction for many different reasons. In using E2EE for credit card data security, Primary Account Number (PAN) data is converted into a complex algorithm which cannot be easily understood. A decryption key is required to translate the data back into a readable format. E2EE addresses a major insider threat. For many companies encryption is not centrally managed. It is a feature that is easily added to applications, built into operating systems, databases, POS devices and so on.

The Payment Card Industry Security Standards Council (PCI SSC) has mandated E2EE technology for processors, software providers and merchants. An example of true end-to-end encryption is the distribution of a secret key under a Key Exchange Key (KEK) process between two hardware security modules (HSMs). The KEK process is a common practice in many other industries including government, telecommunications and banking, in applications where end-to-end security must be ensured. Using this technique, the secret key is never seen in the clear outside of the two endpoints. The first HSM (the origin) encrypts the secret key using the Key Exchange Key then the encrypted key can be securely sent to the second HSM (the destination) where it is decrypted.

However, there are drawbacks to this technology:

  • Anyone who obtains the decryption key can easily access the sensitive and valuable credit card data.
  • Hackers who obtain a series of encrypted data that was generated using the same algorithm can mathematically reverse it to de-code the data.
  • Using E2EE, card data may have to pass through multiple systems internally on the way to the acquiring bank or processor. The result is the dreaded “encrypt, decrypt, re-encrypt” scenario, which opens up holes to unauthorized insiders.

One important question is: Will end-to-end encryption eliminate the chance that stolen cardholder data can be used successfully for fraudulent transactions? The answer, unfortunately, is no. There is an old saying in the security industry that you cannot secure a grass hut with a steel door. In other words, if you harden the merchant and processor systems with end-to-end encryption, criminals may simply skim magnetic stripe data elsewhere. Imagine hordes of credit card magnetic stripe skimmers in the hands of restaurant employees. Or criminals using false fronts on ATMs in the U.K. to capture magnetic stripe and (Personal Identification Number)PINs, and then sending cloned magnetic stripe data to the U.S. for fraudulent attacks.

Tokenization

Tokenization replaces sensitive card data information with unique id symbols that keep all the essential data without compromising its security. This approach has become popular as a way to increase security of credit card and e-commerce transactions while minimizing the cost and complexity of PCI DSS regulations and standards. Tokenization involves the replacement of the (PAN) and other data by a surrogate number or “token” and then centralizing (or outsourcing) the card data.

There is never a need to decrypt it or to call the real PAN back into the environment as the tokens can be used repeatedly, so hackers have nothing of value to steal.

Drawbacks to using tokenization exclusively:

  • Tokenization does require the use of encryption for transmission of credit card data from the customer to the token vendor.
  • There is no industry standard established for tokenization, although the PCI DSS Security Council has created a special interest group to construct a set of best practices for the technology.

Using Both Tokenization & E2EE

In the early stages of this new technology, large pin pad manufacturers such as (EQUINOX, Ingenico, and VeriFone) partnered with companies which handle E2EE & tokenization or have developed their own solutions. These companies such as TransArmor® (First Data), Element, Voltage, EPX and others have since developed hardware and processor agnostic functionality and interface with most credit card processing companies as long as the credit card data is encrypted at the MSR. VeriFone was one of the first to develop their own, VeriSheild®, which has had success since its inception in 2008.

E2EE and Tokenization and are often positioned as an either/or solution, but this is not the case. Encryption has many uses and will likely never be completely obsolete and tokenization solutions will incorporate some sort of encryption into its process. E2EE and tokenization will best exist together offering the best data protection. Suggesting that one can take the place of the other does not take into account the reality of the large, multi-channel merchants, gateways or service providers.

Conclusion – While each technology has its place in payment security, tokenization is emerging as the primary solution for organizations seeking to mitigate the potential impact of a security breach as well as reduce their overall PCI DSS scope and related costs.

For further information on using E2EE & Tokenization contact POSDATA, Inc. at sales@posdata.com

PCI 1.3 vs. 2.0 vs. 2.1… What Does It All Mean?

By now, I’m sure you’ve all been exposed to the talk about PCI 1.3 terminals, PCI 2.0 terminals, PCI 2.1 terminals and why one is better than the other.  Since this year’s National Retail Federation show this January, the landscape has become a little bit clearer.  For those of you who want to know more about the PCI mandates and what they mean to you and your multilane customers, read on.

There are basically three PCI mandates that terminal manufacturers and merchants have had to concern themselves with.  They are PCI versions 1.0, 2.0 and 3.0.  These mandates lay out physical security requirements that terminal manufacturers have to meet (as tested by independent laboratories) in order to manufacture and sell new terminals. The basic mandates are released every few years as new technologies and methods are developed to fight against physical and communication security breaches.

In the middle of the last decade, terminals began to be manufactured that met the first PCI standards (V1.0 with added further addendums to V1.3).  After 2007, terminals that did not meet these standards could no longer be purchased or installed.  These terminals met new standards and will be certified for sale and installation until 2014.

Towards the end of the decade, PCI 2.0 specifications were released that included added security as well as things like encrypted card readers etc.  These terminals have been certified for sale and installations through the end of 2017.  The V2.0 mandate has had certain documents updated and has changed to V2.1.  For the purpose of security however, V2.0 and V2.1 are identical.  It was also announced that PCI V3.0 mandate specifications would be released in the 2010-2011 timeframe.

So where does that leave everyone?  Let me begin by saying that V1.3 devices (most of the newest PCI terminals in the field today) are safe and certainly contain far more security than those terminals sold previous to 2008. No merchant should fear that they are somehow “stuck” with a V1.3 device that makes them vulnerable to a breach.  Version 1.3 terminals when encrypted with TDES keys should be quite secure. They should, however, be made aware that there is a new generation of terminals being introduced that contain even newer security features that are certified for sale and installation through the end of 2017. While most V1.3 terminals should be produced by manufacturers through their certification period (2014), V2.1 devices will have an additional 3 years of availability. Obviously, when V3.X terminals are introduced (2-3 years from now) they will have yet another extended certification period.

Hypercom and UIC both announced V2.X products in 2009. Hypercom announced an upgraded L4150 product that meets the new V2.X standards and UIC introduced the PP795 that is 2.X compliant. Both had deliverable products in Q4 of 2009. In mid January, VeriFone announced that they would be offering the MX8XX product line in 2.X certified form.  ViVotech announced two terminals (8600 and 8800) that are V2.X certified.

So now, everyone has jumped into the fray with some version of a PCI V2.X product. Some terminals are deliverable today and the rest will be available sometime later in 2010.

The rules remain the same as they have always been. The merchants and acquirers are liable for breaches if they don’t have TDES after July 1, 2010. Fines for non-compliance could be as high as $500,000 for each occurrence. Additionally, compromised terminals such as the VeriFone PP101, 201, 2000, Everest P003-3XXX, Hypercom S7S, S8, Ingenico eNCrypt 2100 and eNCrypt 2400 (also known as the C2000 Protégé) should be removed immediately from service to avoid merchant liability. Only POS PED devices that are PCI 1.3 or higher should be purchased for installation at a merchant’s location.

A higher level of security is always better. Visa Best Practices advise 2.X terminals for installations going forward.

POSDATA can help you when your customers have any questions. We have the latest information on products and the availability of 2.X devices. Call your sales representative for more information.