Late on Friday the WSJ reported that The Home Depot had signed a contract in April 2014 with a data security provider to begin work on fully encrypting payment card data in the chain’s 2,200 U.S. and Canadian stores. The decision for encryption was spurred by the Target breach and January recommendations from a task force that THD had assembled at their Atlanta headquarters.
It is reported that the encryption system had been rolled out to about a quarter of THD stores. Unfortunately, the theft of data could go back as many as 4 months, before the system was fully implemented.
Details on the plans for encryption came 4 days after Home Depot issued a press release on September 8th stating that “Responding to the increasing threat of cyber-attacks on the retail industry, The Home Depot previously confirmed it will roll out EMV “Chip and PIN” to all U.S. stores by the end of this year, well in advance of the October 2015 deadline established by the payments industry.”
So it turns out that Home Depot knew (like we expect many others know, they just don’t talk about it) that EMV wasn’t going to be the only answer in payment security. And while corporate representatives assured the public, the press, and analysts they would have EMV in place soon, they quietly worked in the background to implement technology that will encrypt payment card data. And we sincerely applaud Home Depot for taking the steps and securing their system with encryption, where unlike EMV, it is not mandated.
There are technologies available for payment encryption – whether it is end-to-end encryption or PCI-validated point-to-point encryption (P2PE), which Bluefin provides. Having just one payment security technology won’t work because Encryption, EMV and the *standard* which everyone must have, Tokenization, all address different steps and factors in payments.
- – Encryption, including P2PE, addresses payment card data in motion. Upon entry into the point of interaction (POI) device, it is encrypted. In the case of a PCI-validated P2PE solution, data is never decrypted until it reaches the Hardware Security Module (HSM). In other words, P2PE prevents data from being available in a merchant’s network in the clear.
EMV – EMV addresses authentication of the consumer’s credit card. Credit and debit cards will be outfitted with a chip (eventually replacing the magstripe) and will eventually require a PIN to authenticate the consumer. EMV will help prevent card present fraud and white-labeling.
Tokenization – Tokenization addresses payment card data storage. Tokenization’s primary security goal is to remove the value of the Primary Account Number (PAN) and end up with a tokenized value that can be safely stored for future transactions. However, tokenization only protects CHD at rest (i.e., stored) not CHD in transit (hence the need for P2PE).
While we are dismayed regarding Home Depot’s data breach, we believe that their steps to adopt payment encryption for stores – and to divulge it – will open the discussion further as to why EMV is NOT the only answer.
Bluefin’s Chief Innovation Officer, Ruston Miles, will speak on Point-to-Point Encryption, EMV and Tokenization at this week’s Merchant Advisory Group Annual Meeting.