Three Technologies to Look for in a Secure Payment Solution

There are three valuable technologies that are sometimes misunderstood but should be considered when implementing a secure payment solution. Here we discuss EMV, P2PE and Tokenization, where they may add value in providing secure payment, and common misconceptions about their impact on a merchant’s security and risk profile.

EMV – Securing Against Counterfeit Cards

EMVCo, which was founded by (and named after) Europay, Mastercard, and Visa in 1994, manages the EMV standards. The payment industry around the world has begun adopting EMV for production and transaction support for credit cards issued with integrated chips in order to provide new card fraud protections for consumers.

The EMV chip embedded within the new chip cards is capable of using advanced cryptography to generate a unique code (iCVV) that is then sent to the card networks with each transaction to confirm that the physical card is legitimate. This process has been demonstrated to be effective at preventing fraudsters from creating counterfeit cards. However, the EMV chip does not provide any encryption for the credit card primary account number (PAN), expiration date, or cardholder name: three sensitive data elements classified as cardholder data and required to be protected according to PCI DSS. Threat actors that steal this information can use this data to conduct fraud through other channels such as online (e-commerce) or MOTO transactions. Therefore, support for EMV does not reduce a merchant’s PCI responsibilities for protecting account data, nor has recent movement throughout the industry to adopt EMV had any measurable impact on the number of cardholder data breaches. In summary, EMV is primarily effective for reducing card present fraud by securing against counterfeit cards.

P2PE – Securing Card Data in Flight

P2PE is the term used by the PCI SSC to refer to its terminal-based encryption standard, where transactions are encrypted within specific PTS-approved hardware using encryption keys that reasonably protect the account data so that it can be transferred through the merchant environment safely, reducing risk of compromise. The role of P2PE in a secure payment solution is to immediately and fully encrypt all cardholder data and sensitive authentication. By using strong encryption, device management practices, and key management, P2PE is effective at addressing the risk of card data compromise for card data in transit out of the merchant network as it is transmitted to the gateway or acquirer for decryption and processing.

There are three high-level requirements that every P2PE solution must offer:

1. The card data must be encrypted using strong cryptography
2. The encryption must be performed within a P2PE-compliant device
3. It must not be feasible to decrypt the data within the merchant environment

As a result of these requirements, it becomes physically improbable to access card data prior to encryption; it becomes computationally infeasible to derive captured card data using brute-force methods; and it becomes logically unattainable to access the decryption keys in order to decrypt directly.

Through this process, P2PE performs the function of devaluing the cardholder data in the eyes of any hacker who may otherwise seek to access this information within the merchant’s software, systems, and network, therefore securing card data in flight.

Tokenization – Securing Card Data at Rest

Finally, there are merchants who must perform certain customer billing functions, such as delayed charges, subscriptions, refunds, or credits, which require credit card information. Some merchants may have also used cardholder data as a means to track consumer behavior (although this practice is generally prohibited). Traditionally, these operations require the merchant to store sensitive credit card information so that it can be accessible for future use. Unfortunately, this also leaves a “treasure trove” of stored credit card data that may be stolen. For that reason, the efforts required to fully protect stored card data (PCI DSS Requirement 3) can be quite extensive and expensive.

Tokenization is the technology where secure card data storage is centralized and a different value is used to represent the original cardholder data.

When ready to be re-used, the token must generally be passed to the tokenization provider, where the original cardholder data is retrieved, decrypted, and utilized.

Similar to P2PE, a compliant third-party service provider may perform this service on behalf of the merchant, including portions of the data security that rely on cryptography (in this case, storage encryption). However, unlike P2PE, the value that the merchant receives is not commonly a reversible encrypted form of the original PAN but is uniquely designed to be stored safely. The token value may resemble a credit card number or even retain certain non-sensitive portions of the card data, or it may look entirely different. In some cases, the token may be an encrypted form of the cardholder data, but in most cases, it is merely an arbitrary or random reference number used to access the stored information in the token vault. The entity performing the tokenization may be the gateway or another service provider, the acquirer, the card brand, or even the issuing bank.

To take full advantage of the benefits of tokenization, PCI SSC recommends that merchants tokenize sensitive data as quickly as possible, replace cardholder data with tokens wherever it is stored, and use services that do not provide a mechanism to “detokenize” data, as this presents another avenue that may be exploited. In each case, the merchant must still observe PCI compliance requirements for systems that store, transmit, or process card data before the data has been tokenized.

Summary

Our secure payment solution is the backbone of Payway because, like you, we must also demonstrate ongoing compliance to the PCI DSS. Payway includes complimentary tokenization to both protect cardholder data and speed up recurring payments. We offer P2PE as an add-on to help merchants reduce the scope and cost of PCI-DSS compliance, while further protecting cardholder data from potential hackers.