The Green Sheet Online Edition
April 28, 2014 • Issue 14:04:02
A data security solution primer
After working with a client regarding a point-to-point encryption (P2PE) project, it occurred to me that many, including myself previously, do not have a clear, layman's understanding of the various types of payment security methodologies. It seems that most material written on the topic is either dense with technology references or, to be honest, completely dry, rendering it either impossible to follow or great reading if you can't sleep.
So I thought I'd take a stab at sharing my newfound understanding, at a very high level, of some of the ways that cardholder data can be made more secure.
Tokenization is the process of assigning a randomly generated proxy number, or token, in place of a credit or debit account number when a card is used for payment. The token generally contains the same set of numbers as the real card number, so some say it "appears" to be a legitimate account number – but let's get real – everyone knows that a Visa card starts with a "4."
You get one token per transaction, and recurring transactions get a new token every time. Experts say that since the actual card number is not used, it theoretically can't be stored in a merchant's software system, making it "more difficult" for hackers to successfully breach merchant databases. (Note the quotes around "more difficult"; clearly no one is willing to go out on a limb here.)
Tokenization can apply in the physical brick and mortar world, as well as virtually in e-commerce payment transactions.
Encryption is not just a fancy way to say "tokenization." It occurs when a logarithm is used to turn a valid card number presented at the POS into a random string of unrecognizable data – numbers, symbols, letters, you name it – that is generally much longer than the original data stream.
Encryption relies on a unique set of "keys" that must be safeguarded in order to ensure validity. Lose your key – risk data breach. Of course, with a big enough sample of encrypted data, and enough time on your hands, even encrypted data could be subject to compromise.
P2PE sounds self-explanatory, but it really is not. There are a variety of methodologies and technologies that can be used to achieve P2PE, some software- and some hardware-based. With names that suggest stealth – like SRED – it is basically the process of encrypting cardholder data from the point-of-sale to a secure point outside a merchant's environment – such as the end processor.
As its name suggests, the card data can only be accessed with decryption keys held securely by an approved "point" along the way, such as the acquirer, gateway or bankcard association. The purpose of P2PE is to prevent cardholder data from being intercepted by fraudsters while "in-motion."
End-to-end encryption (E2EE) serves a similar purpose and sounds an awful lot like P2PE; as one might expect, the two terms are often used interchangeably. But, alas, they are different. E2EE is referred to as the ideal state of cardholder data – it's basically encrypted from the POS to the back-end.
Once encrypted at the first point of contact with a payment device, an E2EE-encrypted transaction can only be decrypted, or read, by the intended recipient. This basically prevents software systems and intermediaries along the payment processing chain from accessing useable data and, thus, also protects its interception by those wishing to use it for unauthorized purposes.
EMV (Europay/MasterCard/Visa) is the global standard for most markets outside the United States for processing card-present payment transactions. EMV cards are equipped with a chip and require a PIN, or signature, making them more secure than regular mag strip cards when used at the POS. Or so they say.
While EMV does address the problem of card skimming fraud, or lost or stolen card fraud, it does not address the vulnerability of clear-text (that is, unencrypted) cardholder data in motion, or the potential for its fraudulent interception.
Data breach insurance
Data breach insurance, as I've come to realize, is about as protective as a Kleenex against a hurricane. While helpful in providing merchants a sense of security, data breach insurance, on its own, generally provides only up to $50,000 in "coverage" for most merchants who are enrolled in such programs – and zero coverage if a breach occurs and it was determined the merchant was negligent, that is, out of compliance.
Seriously, data security is no laughing matter. Fortunately for all stakeholders in the payments sphere, companies are now employing PCI Security Standards Council-endorsed solutions that, combined with other security measures, can prevent fraud and ensure cardholder data protection.
While no one solution provides a silver bullet in the form of absolute security, employing a combination of methodologies, as well as some basic best practices when it comes to the use, transfer and storing of cardholder data, will go far in rendering the likes of Target's mounting billions of dollars in data breach fines a distant memory.
Cynthia Bailey is the Chief Executive Officer and co-founder of The Idea People, a full-service management consultancy. She has over 22 years' experience in payments industry leadership roles, most recently as Vice President of the Payments practice at management consultancy Brand Velocity Inc. Previously, she served as Chief Marketing Officer for Calpian Inc. and Editor-in-Chief of Transaction World Magazine. Cynthia has fostered innovation in strategic development, product management, investor and public relations, corporate development, marketing, and global team management. In addition, she sits on the Mobile Payments Committee of The Electronic Transactions Association. She can be contacted at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.