Protect Cardholder Data with P2PE

Almost 76 million credit card numbers were stolen from 2017-2018, according to Gemini Advisory. So how can you keep your company and your customer’s data safe; and how can technologies like Point-to-Point Encryption (P2PE) help?

P2PE is an emerging technology that is becoming increasingly essential for many companies, specifically merchants. It protects credit card data traveling through a merchant’s local network and across a payment gateway before reaching the payment processing system. Deployment of a P2PE-approved solution can virtually eliminate the current risk of compromised credit card data in many different environments.

When P2PE is implemented properly, it makes payment card transactions more secure by preventing the theft of unencrypted credit card data on a retail point of sale device, or while the data is in transit – such as online or in a card-not-present situation.

With P2PE, account data (account number, expiration date or the magnetic data on the card) is encrypted, making it unreadable until it reaches the secure decryption environment. This makes the data less valuable. By encrypting cardholder data at the point of sale or point of entry, merchants can significantly reduce their risk of a data breach.

How does P2PE work?

After a credit or debit card number is entered through a PCI-certified card-reading device at the merchant location or point of sale, the device immediately encrypts the card information. The device uses an algorithmic calculation to encrypt the confidential card data in a tamper resistant module, known as the point of interaction (POI).

From the POI, the encrypted data is sent to the payment gateway for decryption. The keys for encryption and decryption are never available to the merchant, making card data entirely invisible to the retailer. Once the encrypted data is within the secure data zone of the payment processor, the codes are decrypted to the original card numbers and then passed to the bank for reading and authorization. The bank either passes or rejects the transaction, depending upon the card holder’s credit account. The merchant is then notified if the payment is accepted or rejected to complete the process. This process from encryption through decryption adds negligible time to the authorization process.

Deployment of a P2PE-approved solution can virtually eliminate the current risk of compromised credit card data in an environment. While it may incur businesses some additional costs in terms of recording and inventory management, these can be offset by the solution providing clear and dramatic secure transactions. This includes reducing the scope of PCI DSS compliance requirements.

Card-not-present

Card-not-present fraud – which occurs mostly during online and mobile transactions, in which consumers do not physically present their credit card to the merchant – had steadily ticked up over several years, sitting at $3.3 billion in 2016. Data for 2017, show an increase in card-present fraud losses at almost $3.9 billion.

Fraudsters have shifted their efforts to online fraud, to make up for the increasingly closed doors on physical transactions, and the card-not-present losses show that.

Setting Standards

Any organization or merchant that accepts, transmits or stores any cardholder data must be in compliance with the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply leaves a merchant vulnerable to all sorts of security hacks. The PCI DSS includes requirements for security policies, procedures, management, software design, network architecture, and other protective measures.

Merchants using a PCI P2PE solution have the advantage of more simplified compliance efforts. And, as data breaches continue to make news, alarming consumers and merchants alike, it’s even more pertinent for businesses to stay informed about security terms like P2PE and ensure they’re in compliance with PCI standards.

So, are your systems set up to keep you out of the news today? Because if not, you might become tomorrow’s top headline.