The latest figures from the Ponemon Institute and IBM 2015 Cost of Data Breach Study show an ongoing increase in the cost of a data breach.
For companies that participated in the study, the number rose to $3.79 million. And that’s just the tangible cost.
Even more revenue is lost as consumers lose faith in affected companies and look elsewhere to do business and investors move on to other stocks.
You Have to Protect Cardholder Data
Solutions that provide increased protection for cardholder data, while maintaining the highest levels of performance — up to millions of transactions per day — were defined and developed after the highly publicized breaches in 2009.
The Payment Card Industry (PCI) released solution requirements for point-to-point encryption (P2PE) to assist merchants in protecting cardholder data and reducing the scope of their environment for PCI DSS assessments. However, these approaches still seem to be a concept rather than common practice.
But if merchants heed PCI requirements, they can reduce the risk of sensitive payment data breaches.
Encrypting sensitive data at the point the card is swiped — or dipped, in the case of EMV cards, which are equipped with computer chips) in the payment device and only decrypting it at the processor is the answer.
Direct attacks on devices in the payment acceptance process have become increasingly common and highly sophisticated, but strongly encrypted cardholder data is useless to cyber criminals. To understand the approaches, and the benefits, of implementing sensitive data protection, let’s focus on two key areas: traditional payment acceptance terminals and mobile.
Securing Payments at the Point of Interaction
Security is critical, but so is speed. Merchants need a solution that won’t slow performance to a crawl.
Electronic POS solution providers need to maximize security for payment card transactions without slowing performance. Their solutions need to encrypt cardholder data from the precise moment of acceptance on through to the point of processing, where transactions can be decrypted and sent to the payment networks.
When you deploy P2PE, you encrypt the data along its entire journey — from the point where the card is swiped to the point of decryption at the processor.
However, not all encryption is the same.
There is a difference between encrypting the data at the point of swipe device and encrypting the data in the POS system, more specifically the retail terminal. POI devices go through a PCI certification process, thereby providing high-assurance cryptography and key management functionality.
Retail terminals, on the other hand, are typically PC/tablet-based devices that only offer software-based encryption and do not have the security controls of PCI-certified devices.
PCI-P2PE guidelines require data decryption take place at the point of processing using a hardware security module (HSM) — a physical computing device that safeguards and manages digital keys for strong authentication.
HSMs perform secure key exchanges and, in most applications, key management that produces a unique key to protect each and every payment transaction.
Taking advantage of these security capabilities, solution providers can build high capacity and redundant systems.
Securing Payments On the Go
Anytime, anywhere, payment acceptance is one result of the mobile revolution and a real boon for smaller merchants.
However, with the increasing availability of mobile payment acceptance options, small merchants and mobile businesses need to take a moment to consider the security of their customers’ payment data.
Most people are familiar with sliding their card through a card-reading dongle connected to a mobile phone or tablet at a craft fair, food truck or farmer’s market. With mobile point-of-sale or mPOS, small or mobile merchants use these low-cost card readers to accept payments from both EMV and magnetic stripe payment cards. As with traditional POS, it is critical that the card reader encrypt the sensitive payment data it receives.
It can be difficult for payment services providers to secure mPOS solutions.
Several providers overcame this challenge by using P2PE to protect the sensitive payment data from their mobile acceptance offerings. They integrated HSMs with their processing application as a critical component to manage keys and secure customer data following PCI P2PE solution requirements.
This enables them to defend against external data extraction threats and to protect against compromise by a malicious insider.
Securing Mobile Wallets
Host Card Emulation (HCE) is the most flexible method on the market for enabling the use of mobile devices for making payments. Because the security of the payment data and transaction are not dependent on hardware embedded in the phone, it has much broader applicability; any smartphone could use the HCE approach by loading payment credentials on the device and using it in place of a physical card.
To communicate with a contactless payment terminal, HCE-based applications leverage the NFC (near field communications) controller already in mobile devices.
However, since the application cannot rely on secure hardware embedded in the phone for protection of the payment credentials, alternative approaches for protecting sensitive data and transaction security have to be used.
These approaches include tokenizing payment credential numbers as well as actively managing and rotating keys used for transaction authorization. This enables issuers to manage the risk introduced by having a less secure mobile device environment for payment credential data.
Tokenization and key management use HSMs in the issuer environment to not only create the rotating keys but also to send them securely to the mobile device. In addition, the HSMs are also a critical part of the tokenization and transaction authorization process.
The HCE infrastructure does not actually introduce any new security processes or procedures for retailers and processors. It just enables issuers to combine their existing strong security practices — comprising key generation/distribution, data encryption and message authentication — into a cohesive offering to enable payments with mobile devices.
A Holistic Fraud Prevention Approach
Fraud is far too lucrative for cyber criminals to walk away from.
On the contrary, the promise of huge financial reward spurs fraudsters to create increasingly sophisticated attack vectors, including attacks on payment devices themselves.
But the reality is that retailers and their acquirers can reduce their risk and fear if the sensitive cardholder data in their possession is worthless to hackers. This is why P2PE is so critical in the fight to reduce the potential of fraud.
PCI has created requirements to help merchants safeguard sensitive payment card data – but the requirements have to be followed in order to be effective. Whether retailers are accepting payments from a terminal, dongle or mobile wallet, best practices include using P2PE and relying on HSMs in the processing environment.
HSMs will help manage risk in payment acceptance and HCE payment credentials by protecting keys and enabling a secure and compliant trust environment. This creates a complete payment data safety strategy that will position merchants in good stead going forward.