On April 12th, PYMNTS.com’s Karen Webster sat down with Bluefin Payment Systems’ Chief of Innovation, Ruston Miles, to discuss PCI-validated Point-to-Point Encryption (P2PE), the progress that has been made within the last three years since its North American introduction by Bluefin Payment Systems, and a reality check on what still needs to be done.
The following discussion recaps the highlights of the PYMNTS/Bluefin conversation on P2PE.
State of Data Breaches – Has it Improved?
With a quick flashback to the last three years and the watershed of data breaches that have hit large retailers, the harsh truth is that breaches have not slowed down. In fact, they have continued to rise at an alarming rate year after year, from 600 reported breaches in 2013, to 780 in 2015, and an all-time high record of 1,093 in 2016.
Target closed the calendar year 2013 with the distinction of having “the biggest breach in consumer card data ever,” a title that it happily gave up to others as 2014 turned out to be the Year of the Breach as Michael’s, Sally Beauty, Neiman Marcus, PF Chang’s, Jimmy John’s, Goodwill, Home Depot, Dairy Queen, Staples and K-Mart all got hacked, not to mention about 11 casinos and hundreds of other retailers we don’t have time to list. They all saw their systems compromised and their customers’ card data get sucked into the dark web for cybercriminals to play with.
Miles is quick to recognize that cybercrime has been growing exponentially in scale and scope, stating that the fraud attacks are becoming more complex and technologically advanced as hackers become more savvy and automated.
“Breaches are moving up and to the right — it’s getting much worse, particularly in certain sectors,” said Miles. “These attacks weren’t those of the good old days of DSW or TJMaxx where the bad guys were getting in and liberating some big database of cards. That is a lot of work. Instead, they are setting up on the cracks out on the margins — and figuring out how to actually automate these attacks so they can go to bed and wake up to a nice breakfast of card numbers from some retailer in the United States.”
P2PE – Progress Made
What we have seen in the last 3 years is an uptick on breaches, where hackers are getting better at exploiting vulnerabilities, while merchants have not quite caught up with the solutions that exist today.
“We all know that cybercriminals are an inventive group, which is why malware is getting more specific, targeted and automated. Hackers now use specialized software to spear-phish their way into access to a company’s payment system — and then use all manner of scraping and key-logging software to capture as much payments information as they can.”
A recent Verizon Data Breach reports shows that 90% of POS data breaches are due to malware. As hackers are automating attacks to vulnerable network systems, they are staying one step ahead of merchants because the data within the merchant’s network isn’t encrypted.
Miles was quick to say that it isn’t as if merchants don’t care, as many have embraced EMV and tokenization and are well aware of the critical nature of the problem. The shortfall is not knowing how to think about the solution.
“A lot of folks switched to EMV and thought, ‘Oh, finally this plugs that hole in the ship.’ The problem is that EMV technology was never built to encrypt the data — it was built to make it impossible to copy or clone a card. Hackers are getting ahead because all this data is floating around unencrypted.”
The good news, Miles states, is that as hackers have grown smarter and more adaptable, so too have the solutions used to fight them – and that encryption in payment data is the next logical progression
“Locking up data has the disadvantage of having to be ever vigilant about the lock 24 hours a day, seven days a week, 365 days a year. Any small error — even on the part of a third-party vendor — where the hackers get in and get at the data makes the investment up until then wasted. Encryption doesn’t just lock the data — it devalues it, so even if the criminals get it, what they have is completely useless.”
Encryption has existed on websites for 10 years or so, but outside of the internet, is it sort of the “wild west,” where manufacturers, software designers, and POS providers have adopted different encryption solutions, thinking it is good enough. But as Miles explains, while all encryption is good, not all encryption is PCI-certified P2PE — and that level of certification makes a difference.
“Bluefin and the 28 plus other PCI-certified P2PE providers are offering encryption that is broadly speaking more useful — because it is routinely updated, regularly evaluated and held to an ever-advancing standard. Those thousands of [PCI] requirements contain a lot of things that are terribly important, like hardware-level encryption to prevent RAM scraping or devices that are self-aware and know when they’ve been unplugged and tampered with. A PCI P2PE solution is different and much stricter than just any encryption.”
What Can Retailers Do?
Merchants and enterprises alike have often taken the “defend the data” approach to security, building resources and higher firewalls to keep intruders out. But the entire point of P2PE is to devalue the data – at the point of interaction – preventing clear-text cardholder data from being present in a merchant or enterprise’s system or network and rendering the data meaningless to hackers. Devaluing the data is the direction that the payments industry is moving, but Miles emphasizes that there are additional technologies that work with P2PE to provide a holistic approach to payment security.
“A good rule of thumb for businesses is if you don’t need to touch the card, don’t do it. Avoid the hot potato. EMV, P2PE and tokenization are the instantiation of that.” Miles added, “P2PE solutions encrypt the data at any point of interaction, and tokenization does at any point of storage, which makes it absolutely essential to use in conjunction with other technology.”
Apart from being more secure — which is the primary focus — the PCI P2PE solutions are just a better investment on the whole for merchants, because over time they drastically reduce the cost of compliance for merchants.
“With P2PE, 90 percent of all the things that merchants are doing to secure themselves under PCI requirements go away as scope is reduced. It makes life easier,” Miles said.
PCI-validated P2PE eliminates 335 PCI requirements – including scanning, logging, firewall management, etc. – which all have costs associated with them, saving the merchant time and money while also mitigating the risk of a breach.
“The ROI on that is huge. All the fees, consulting, internal work, software, hardware and everything that goes into maintenance and grooming, go away with a PCI P2PE program in place in a large organization — or even a small one,” he said.
Are We in a Better Place Today?
The harsh reality is that hackers are going nowhere — in fact, by the number they are proliferating. Miles acknowledges that challenges will always be shifting and moving and there is never going to be one silver bullet that puts down the hackers of the world.
Hackers will continue to be a problem, but that doesn’t mean the battle is lost, because the advances in P2PE and data security also demonstrate that it is possible to make their jobs much harder, not necessarily by making useful data harder to come by — which would also be ideal — but by making it impossible to use even if the bad guys find it.
“Today, there are better opportunities for merchants to engage with P2PE solutions through providers like Bluefin, to fight the fight against malware. We need to get better at frustrating hackers, and now more than ever, an environment that offers choices for PCI P2PE allows for that opportunity.”