We are coming up on the 3-year anniversary of the October 2015 deadline for the EMV liability shift. Perhaps just a distant memory for some – PaymentsSource recently published statistics showing that nearly 70% of U.S. stores can now support chip-enabled cards – the research has also found that not all of the smaller financial institutions have fully converted to EMV and millions of merchant locations are still not accepting chip cards.
EMV has accomplished what it set out to do – cut down on counterfeit card fraud. A new study released by Visa shows that counterfeit credit card fraud dropped by as much as 75% from December 2015 to March 2018. This is great news for merchants, retailers and others that were unknowingly accepting fake credit and debit cards that had been produced with stolen card numbers. The EMV chip, embedded on our new cards, is more secure than the previous magstripe, which was easily duplicated, and is designed to authenticate that the card, is in fact, real.
However, one area where merchants, retailers, restaurants and other organizations are still grappling is the data breaches where fraudsters find their way into a POS and install malware, which siphons off unencrypted credit card data to their servers all over the world. That unencrypted data is, in turn, sold on the dark web for sometimes hundreds of dollars per record. Because – while fraudsters can no longer use counterfeit cards at *most* establishments in the U.S. – they can still use stolen card data to purchase goods online.
Which is why POS systems and networks – any workstation, application or database that is handling credit card data – are still under constant attack. Fraudsters want to purchase goods using your card and my card. It’s the modern-day version of a bank robbery – why physically rob a bank when you can just install malware in a system that is processing millions of cards a day and watch those card numbers roll into your overseas server?
The question that always comes up when these data breaches are reported is whether the affected company was encrypting the credit card data upon entry – i.e., upon swipe or dip into the payment terminal. If the data was being encrypted, it should not leave the terminal as clear-text, thus not arriving into the POS as clear-text.
But we all know how smart hackers are, and how sophisticated malware has become. RAM scraper malware, which has been around since 2013, can easily find card data if it is present in a POS RAM.
One of the common methods used by attackers to steal payment card data from PoS systems is to infect them with malware, via stolen remote support credentials or other techniques. These malware programs are known as memory or RAM scrapers because they scan the system’s memory for credit card data when it’s processed by the payment application on the POS system.
Since the EMV shift, discussion has focused more on payment encryption technologies that would ensure no clear-text card data reaches the merchant or retail system. PCI-validated Point-to-Point Encryption (P2PE) is designed to encrypt data in motion and work in conjunction with EMV for card authentication and tokenization for card data storage.
A holistic approach to payment security is required and today, we take a look at how these three technologies work.
The Role of EMV – Securing Against Counterfeit Cards
The EMV chip embedded within the new chip cards is capable of using advanced cryptography to generate a unique code (iCVV) that is then sent to the card networks with each transaction to confirm that the physical card is legitimate. This process has been demonstrated to be effective at preventing fraudsters from creating counterfeit cards.
However, the EMV chip does not provide any encryption for the credit card primary account number (PAN), expiration date, or cardholder name: three sensitive data elements classified as cardholder data and required to be protected according to PCI DSS.
In summary, EMV is primarily effective for reducing card-present fraud by securing against counterfeit cards.
The Role of P2PE – Securing Card Data in Flight
The role of P2PE is to immediately and fully encrypt all cardholder data within the payment terminal. By using strong encryption, device management practices, and key management, P2PE is effective at addressing the risk of card data compromise for card data in transit out of the merchant network as it is transmitted to the gateway or acquirer for decryption and processing.
There are two types of terminal encryption – PCI-listed P2PE solutions and unlisted solutions (sometimes called non-listed solutions, or end-to-end encryption/E2EE). While there are many nuanced differences (learn more in our blog The Differences between PCI-Validated P2PE and Non-Validated P2PE Solutions), there are three high-level requirements that every P2PE/E2EE solution must offer:
- The card data must be encrypted using strong cryptography
- The encryption must be performed within a secure hardware device
- It must not be feasible to decrypt the data within the merchant environment
Through this process, P2PE performs the function of devaluing the cardholder data in the eyes of any hacker who may otherwise seek to access this information within the merchant’s software, systems, and network, therefore securing card data in-flight.
The Role of Tokenization – Securing Card Data at Rest
Finally, there are merchants who must perform certain customer billing functions such as delayed charges, subscriptions, refunds, or credits, which require credit card information.
Tokenization is the technology where secure card data storage is centralized and a different value is used to represent the original cardholder data. When ready to be re-used, the token must generally be passed to the tokenization provider, where the original cardholder data is retrieved, decrypted, and utilized.
To take full advantage of the benefits of tokenization, PCI SSC recommends that merchants tokenize sensitive data as quickly as possible, replace cardholder data with tokens wherever it is stored, and use services that do not provide a mechanism to “detokenize” data, as this presents another avenue that may be exploited. When properly implemented, use of tokenization instead of storing actual cardholder data is valuable for securing card data at rest.
At Bluefin, we are a strong proponent for the holistic payment security approach, but feel that in order to really devalue the data and make it useless to hackers, enterprises and merchants should not handle any clear-text card data. If they do, and process it through their system or store it in their system – hackers will cause millions of dollars in damage, damage the company brand and lower consumer confidence.