Editor’s Note: We are thrilled to welcome Bob Lowe, VP of Business Development at Shift4 Corporation, to the blog with an important post about payment card data security.
By now, I’m sure most all of you have heard about the recent credit and debit card information breach at one of the nation’s largest retailers. Likewise, you have probably seen the litany of articles published over the past two weeks speculating about how it happened and which security technologies may or may not have been in play. Unfortunately, many of these articles have been poorly researched and have provided false information (and a little false hope) to retailers.
As a partner and as a merchant advocate, Shift4 would like to take a moment to sort through the speculation and share a few tips on which technologies can actually help merchants avoid falling victim to these kinds of attacks.
EMV Isn’t the Silver Bullet
There are several articles out there that clearly say that EMV (chip and PIN) payment cards would have prevented this type of breach from occurring. This is absolutely untrue.
EMV is all about the interaction with the card and the device that reads the card. Most EMV devices still send clear text card numbers from the device to the POS, so the POS is getting the exact same information as when a traditional magnetic stripe PIN debit or signature card is used.
How Can Merchants Secure PINs?
There has been a lot of talk about whether unencrypted or encrypted PIN numbers were lost, leaving many people to speculate that the retailer’s encryption key was not strong enough. In reality, merchants have nothing to do with the encryption keys.
First of all, it is the processor that receives the transaction that provides the encryption key – not the retailer. Also, the PIN encryption method is provided by the device manufacturer and must comply with strict PCI regulations. The encryption takes place inside the secure swipe device and merchants do not have the ability to decrypt it. So if the PINs were compromised, it’s not because the merchant had a weak key, it’s because the processor had a weak or compromised key.
When talking about PIN encryption, it’s important to realize that – in most payment terminals – while the PIN number is encrypted, the card number and other information from the magnetic stripe of a card is not. We should also remember that PINs are not used with credit transactions, only debit.
One technology that actually could have made a difference in this case is point-to-point encryption (P2PE).This approach ensures that the card number and all the stripe information, not just the debit PIN, is encrypted. If the merchant in question had used P2PE, then they would not have had any sensitive cardholder data in their environment to lose – so even when they were hacked, the thieves would have gotten nothing of any value. As we say, “They Can’t Steal What You Don’t Have.®”
Some media have carried stories that suggest the encryption, while strong enough to thwart an amateur hacker, was not strong enough to beat the attack from serious cyber criminals. That’s where gateways like Shift4 add value. We take the P2PE-protected data, which already has a dynamic key that changes for each transaction, and encrypt it again using what we call “moving target encryption.” Even if the best cyber criminals were able to hack this double encryption, which is unlikely, they would only get one card number. Then they would need to repeat the cracking exercise for each additional card. With the cyber criminals selling magnetic stripe information for about $25 a card, the effort needed to steal one card number when these technologies are involved becomes unprofitable.
Why Doesn’t Everyone Use P2PE?
Good question! While it’s not the solution to every problem, P2PE is one of the best tools on the market for credit card data security. It’s also readily available and relatively inexpensive (in fact, it’s provided at no additional cost to Shift4’s merchant customers). But the fact that it is becoming so popular may actually be part of the problem. You see, many retailers believe they have P2PE in place, when in fact the solution they were sold is something far less.
Here are two tips to ensure that you’re getting the most out of your P2PE solution. First, make sure that the encryption starts at the point of swipe. There are industry rumblings that in the major breach I mentioned earlier, encryption didn’t happen until the data was already in the POS – leaving that system vulnerable to breach. Second, ensure that your final endpoint is outside of your merchant environment and that you do not have the ability to decrypt the data anywhere in your environment. Outsource those security headaches to a company that specializes in handling sensitive data – one that builds their business to keep people out, not to invite them in.
It is unfortunate that an existing technology – one that is so readily available in the marketplace – could have prevented this whole situation had it been properly implemented. The challenge the payment industry faces is that being PCI compliant and being secure are not the same thing. PCI does not encourage or reward an organization for taking the additional steps and spending the additional money to invest in strong security technologies like P2PE and the other advanced security solutions companies like Shift4 offer – even when those technologies are readily available and proven in the real world.
The effort necessary to implement these solutions must therefore be taken proactively – in the name of security – and not reactively in accordance with some external PCI mandate. Fortunately for ourusers, complete P2PE adoption is as simple as implementing our DOLLARS ON THE NET® payment gateway. The integration has already been written with P2PE and tokenization included, which means no development work will be required for your company to adopt the industry’s strongest card data security technologies.
Bob Lowe, VP of Business Development at Shift4 Corporation, is a 30 veteran of the payments industry. Bob has held key positions on numerous industry standards boards in the Retail, Hospitality, Food and Beverage, and e-Commerce industries and is recognized as a thought leader in secure, integrated payments.
In the early days of CISP, PABP, and PCI-DSS, Bob led product management teams and set up programs to bring products in line with these requirements. It was then he realized that best approach to data security was the complete removal of sensitive card data from selling systems.
Bob’s vast experience also includes time spent preparing numerous PMS and POS products for the transition to EMV payments in Europe, Canada, and now the U.S.