It is October 7th and EMV is now in “full swing” – if you want to call it that. Reports are showing that only 40% of U.S. consumers have the new chip-enabled cards and that about 25% of U.S. merchants are EMV compliant. And over the weekend – in our shopping experience – even at the big chains and stores with shiny, new EMV terminals, the request was not to “dip” our chip-outfitted credit card but rather to “swipe.”
So what was all this fanfare of the last two years for exactly? Well, the big data breaches at Target and Home Depot caused a media and consumer frenzy. EMV, an initiative that was already underway in the U.S., became the immediate answer to all breach woes in the aftermath of these hacks. Payment processors, ISOs and vendors began whispering in merchants’ ears: if you don’t have EMV come October 2015, you will be liable for ALL PAYMENT FRAUD.
This, of course, is not true. EMV only protects a merchant from fraud if a counterfeit card (i.e., duplicated or “white-labeled”) is used at their point of sale. It does nothing to stop online or call center purchases made fraudulently – and when you boil it down, EMV is not a security technology at all but an “authentication” technology. EMV proves, by way of the chip, that the card being used is not fraudulent and by way of the signature, that the consumer using the card is the rightful owner.
What EMV does not do is secure credit card data. And now, with the deadline passed, the conversation is shifting toward protecting the card data itself, or, as the PCI SSC extensively discussed during their North America Community Meeting last week, “Devaluing the Data.”
Bluefin is a Participating Organization (PO) of PCI and our Chief Innovation Officer, Ruston Miles, spoke at last week’s meeting on the PCI Point-to-Point Encryption (P2PE) 2.0 standard. All around, people were buzzing about the next step in securing payments – P2PE and tokenization. Because while EMV authenticates a card and consumer, P2PE and tokenization actually protect the data. Simply put:
- P2PE protects data in motion. Card data is encrypted immediately upon entry in the point of sale terminal, whether the card is swiped or dipped. It then travels through the POS in encrypted form so that it is never available in the merchant system as “clear-text” card data. This means that if someone breaches a system, they get nothing – hence the term “devalue the data.”
- Tokenization protects stored card data. There are many reasons a merchant may need to store a credit card – great examples are keeping the card number on file for recurring or subscription billing or to keep the card as a payment option for a consumer when they come back to purchase with the same merchant. In every case, a merchant should always tokenize this card data in their system so that it is never “in the clear.” Tokenization replaces the card number with a string of meaningless letters and numbers – hence the term “devalue the data.”
PCI issued a great infographic on “Devaluing the Data” during the annual meeting which explains the roles of EMV, P2PE and tokenization. And noted blogger and writer, and former Washington Post staffer, Brian Krebs, who provided the keynote on Thursday morning, reminded everyone that there is a perception versus reality gap between how secure we “think” we are, and how secure we really are. Organizational issues include lack of P2PE, segmentation, testing, and incident response planning – in other words, nothing that EMV could ever fix.
And Krebs asserts that the influx of data breaches is not simply opportunism before EMV arrives, but signals a larger issue with the growing hacker sophistication, targeting, and coordination. At Sunday’s Gartner Symposium ITxpo 2015, he explained that hacking has become an organized business, replete with loyalty programs for regular buyers of stolen credit card data.
Today’s PaymentSource includes an op-ed by Beatta McInerny of ScanSource on Point to Point Encryption, Tokens Pick Up Where EMV Leaves Off.
“Though the EMV transition is a significant step in the effort towards making payments more secure, this EMV liability shift won’t solve mass data breaches on merchants. This is because credit card data is stored, processed and communicated over a merchant’s network and then sent to the processor in clear text. Because of this, criminals are constantly trying to get into merchants’ networks in order to obtain credit card data, as well as other information.”
Bluefin has been a staunch advocate of devaluing the data and holistic payment security (which includes EMV, P2PE and tokenization) since we introduced the first PCI-validated P2PE solution last March. It’s refreshing to finally see industry turning the conversation toward the real ways that we can protect card data. Now that EMV has passed, let’s focus on making our data useless to hackers.
Join us on October 20th at 1 pm EDT for our webinar with Digital Transactions on P2PE 2.0 and what it means to merchants and processors. Register here.