by Jose Diaz, Director, Payment Strategy, Thales e-Security
At this point in the history of cyber security, it seems like the eternal optimism of “it couldn’t happen to me” is the only reason consumers by the millions haven’t abandoned the digital life and gone back to cash-only transactions. Huge-scale data breaches persist, snatching more and more personal data. Retailers certainly want to protect their customers and their reputation, but are they really doing all they can?
There’s a reason why we are still experiencing huge breaches, and it’s not a lack of technology. Solutions that provide increased protection for cardholder data, while maintaining the highest levels of performance—up to millions of transactions per day—were defined and developed after the highly publicized breaches in 2009. The Payment Card Industry (PCI) released solution requirements for Point-to-Point Encryption to assist merchants in protecting cardholder data and reducing the scope of their environment for PCI DSS assessments. However, these approaches still seem to be a concept rather than common practice.
This is a critical issue in need of a thorough solution. Reducing the risk of payment data breaches requires encrypting sensitive data at the point of swipe (or dip in the case of EMV cards) in the payment device and only decrypting it at the processor. Direct attacks on devices in the payment acceptance process have become increasingly common and highly sophisticated, but strongly encrypted cardholder data is useless to cyber criminals. To understand the approaches, and the benefits, of implementing sensitive data protection, let’s focus on two key areas: traditional payment acceptance terminals and mobile.
Accepting Payment at the Terminal
Transaction speed is important to both customers and merchants; electronic POS solution providers need to maximize security for payment card transactions without slowing performance. Their solutions need to encrypt cardholder data from the precise moment of acceptance on through to the point of processing, where transactions can be decrypted and sent to the payment networks. By deploying point-to-point encryption (P2PE), intermediate systems that sit between the POI (point of interaction – the point of swipe) device and the point of decryption at the processor are removed from the scope of most PCI-DSS compliance requirements, since the sensitive data passing through them is encrypted.All encryption is not the same. There’s a difference between encrypting the data at the point of swipe device and encrypting the data in the POS system, more specifically the retail terminal. POI devices are subject to a PCI certification process, thereby providing high-assurance cryptography and key management functionality. Retail terminals, on the other hand, are typically PC/tablet-based devices that in most cases only offer software-based encryption and do not have the security controls of PCI-certified devices.
Data decryption takes place at the point of processing using HSMs for secure key management, as required by PCI-P2PE requirements. HSMs perform secure key exchanges and, in most applications, key management that produces a unique key to protect each and every payment transaction. Taking advantage of these security capabilities, solution providers can build high-capacity and redundant secure systems so that multiple servers and multiple HSMs, deployed at multiple data centers, can combine seamlessly to service high transaction volumes with automated load balancing and failover.
With a distinctive combination of strong security and risk mitigation against malicious capture of cardholder data, Verifone—a provider of secure payment acceptance solutions—is one example of a P2PE solution provider that follows this approach. At the same time, this approach ensures performance and availability for transactions – a win-win for retailers. The Verifone VeriShield solution was specifically designed to enable retailers to implement Best Practices for Data Field Encryption, providing security that helps reduce the scope of PCI-DSS audits.
Accepting Payments on the Fly
Smaller merchants are now able, thanks to the mobile revolution, to afford on-the-go payment acceptance. However, with the increasing availability of mobile payment acceptance options, small merchants and mobile businesses need to take a moment to consider the security of their customers’ payment data.Mobile devices equipped with an economical card reader “dongle” enable mobile point-of-sale, or mPOS. A mobile phone or tablet can accept payments from both EMV and magnetic stripe payment cards in this way. As with traditional POS, it is critical that the card reader encrypt the sensitive payment data it receives.
It can be challenging to secure mPOS solutions. CreditCall and ROYAL GATE, two payment services providers, overcame this challenge by using point-to-point encryption (P2PE) to protect the sensitive payment data from their mobile acceptance offerings. They integrated HSMs with their processing application as a critical component to manage keys and secure customer data following PCI P2PE solution requirements. The use of HSMs enables them to defend against external data extraction threats and to protect against compromise by a malicious insider.
Securing Payment Credentials
There are several options on the market that allow mobile devices to make payments, but Host Card Emulation (HCE) has distinct market advantages. Because the security of the payment data and transaction is not dependent on hardware embedded in the phone, it has much broader applicability; any smartphone could use the HCE approach by loading payment credentials on the device and using it in place of a physical card.Mobile devices have a NFC (near field communications) controller, which HCE-based applications leverage to interact with a contactless payment terminal. However, since the application cannot rely on secure hardware embedded in the phone for protection of the payment credentials, alternative approaches for protecting sensitive data and transaction security have to be used. These approaches include tokenizing payment credential numbers as well as actively managing and rotating keys used for transaction authorization. This enables issuers to manage the risk introduced by having a less secure mobile device environment for payment credential data.
The approaches that protect this data are based on HSMs in the issuer environment, which not only create the rotating keys but also to send them securely to the mobile device. In addition, the HSMs are also a critical part of the tokenization and transaction authorization process. The HCE infrastructure does not actually introduce any new security processes or procedures for retailers and processors; it just enables issuers to combine their existing strong security practices—comprising key generation/distribution, data encryption and message authentication—into a cohesive offering to enable payments with mobile devices.
Protecting What’s Yours
The sophistication and determination of malicious actors has resulted in a global,multi-billion-dollar industry. The real possibility of huge financial reward spurs cyber criminals to evolve their methods, including attacks on payment devices themselves. But the reality is that retailers and their acquirers can reduce their risk and fear if the sensitive cardholder data in their possession is nonsense to hackers. This is why P2PE is so critical in the fight to reduce fraud.
In addition to using P2PE and PCI-certified devices to keep card data safe, merchants are using HSMs in the processing environment to protect critical secure data protection and transaction keys. These steps also create a trust environment that complies with PCI requirements and reduces risk on payment acceptance and HCE-based credentials. Following these best practices will help merchants and their acquirers safeguard the lifeblood of their business, protecting their bottom line and their good name.