MAG Insights

Announcements from the MAG & Featured Articles

Innovate Now: Defend versus Devalue: Two Approaches to Card Data Security (MAG Quarterly- Volume Three, Issue One)

By Ruston Miles, SVP and Chief Innovation Officer, Bluefin Payment Systems

March 5, 2015

2014 closed out with a record number of data breaches – 783, a 27.5% increase over the number of breaches reported in 2013, exposing 85,611,528 consumer records, according to the Identity Theft Resource Center (ITRC). That’s more than two breaches each day. And these are only the reported breaches – many breaches go unreported. Most people can identify the larger retailer breaches, but what about the smaller merchant breaches? The fact is that a card data breach can happen to any business regardless of size.

What have we learned from the major retailer breaches that started in 2013? The primary attack vector employed by hackers has changed to POS malware in response to merchants becoming more PCI DSS compliant. In the past, hackers attacked data at rest in merchant databases, networks, and file systems by breaching a merchant’s network defense systems, or lack thereof. Now, hackers are focusing on exposing data in motion by inserting malware into the merchant’s POS that silently listens to the stream of clear-text card data flowing by and ships it out to the hacker’s servers.

While EMV will protect the card data from being used to duplicate a physical card, it does nothing to stop hackers from stealing the EMV card data as it travels through the merchant’s systems or networks. Hackers can still expose this data and sell it for use in card-not-present and online fraud. According to a 2014 report by Aite Group, “CNP fraud rose sharply in the wake of the U.K. liability shift as well, growing by 79% between the liability shift in 2005 and its peak in 2008.” The U.S. should expect similar results after its October 2015 EMV Liability Shift if a holistic security technology approach is not put in place.

There are two security paths for merchants: Defend the Fort or Devalue the Data. With the Defend the Fort approach, merchants build stronger, higher walls of security around their systems and data. Merchants can install and maintain all of the security technologies specified in the PCI DSS requirements including firewalls, intrusion detection, constant patch updates, 24/7 monitoring and 330 other security requirements. To say the least, this can be an arduous and costly effort.

In the process of maintaining such a security program company-wide, there may be unknown security holes that an IT staff doesn’t know about until it’s too late. This was certainly the case for many major retailers who were assessed to be PCI DSS Compliant only months before hackers breached unknown security vulnerabilities in their systems.

With the Devalue the Data approach, merchants employ security technology to devalue the cardholder data before it reaches their POS systems rendering the data useless to hackers if it is exposed. With many merchants, tokenization is a top-of-mind choice for this approach. However, tokenization requires the card data to be accepted by the payment terminal and passed to the processor (or token provider) in order to create the token in the first place. It is during this exchange of card data for a token that hackers can expose the data while in motion.  While tokenization is appropriate for replacing large databases of card data, it does nothing to protect the POS systems and networks during the card acceptance and transmission process.

This is where PCI’s Point-to-Point Encryption (P2PE) standard became a security game-changer in late 2011. PCI’s P2PE standard combines a PTS-validated Point-of-interaction (POI) with SRED (Secure Reading & Exchange of Data) device that encrypts card data at the point of entry (magnetic head, EMV insert, keypad, NFC radio, etc.) with a unique key per transaction that protects the card data until it reaches the P2PE Solution Provider’s secure decryption environment. The P2PE Solution Provider then securely passes card data securely back to the merchant’s processor for normal processing.

There are two categories of P2PE technology: PCI-validated P2PE Solutions and non-validated solutions.

At the time of this writing there are six PCI-validated P2PE Solutions globally. In Q1 2014, Bluefin became the first provider in North America to receive P2PE validation and, in Q4 2014, became the first world-wide to receive validation for a mobile P2PE Solution. PCI-validated P2PE differs from non-validated P2PE solutions (also called end-to-end encryption) in that PCI’s P2PE requires validated key injection facilities (KIF), strong encryption, SRED-enabled and tamper resistant/aware devices, chain of custody management for all encrypting and decrypting devices, as well as hardware-only key injection, encryption and management.

Non-validated P2PE offerings have no such requirements and merchants must rely on a vendor’s own assurances that secure processes are in place. Many non-validated P2PE solutions may encrypt or decrypt card data in software or, worse yet, may store the sensitive decryption keys in databases or software which can in turn be exposed by hackers. It doesn’t matter how strong a lock is if a thief has the key.

For this reason, PCI’s P2PE only allows key management in hardware. PCI’s commitment to security on this point has been a source of contention for many would-be P2PE providers who are unwilling to invest into security by taking on the added expense of HSM (hardware security modules) farms, the PCI-validated devices that store and manage keys in hardware instead of software.

PCI-validated P2PE, tokenization and EMV each play an integral role in the holistic security approach recommended for point of sale transactions. P2PE encrypts cardholder data at the point of entry to protect it in motion; tokenization protects card data while at rest for merchants who need to have access to card data on file; EMV prevents a merchant from accepting counterfeit, lost or stolen cards.

An area of growing opportunity but also of growing security concern in modern commerce is mobile point of sale (mPOS) payment acceptance. mPOS isn’t for just startups or micro-merchants anymore. Big-box retailers are extending the reach of their POS’ with mobile systems to provide line-busting convenience to consumers, to stop lost sales, and to generate additional revenue. However, many businesses have held back on moving to the numerous benefits of mPOS because of perceived insecurity. Some enterprises have an internal mandate to remain PCI DSS compliant, and currently PCI is not accepting mobile apps for PA-DSS assessments. Thankfully, P2PE comes to the rescue again. The PCI SSC published an At a Glance guidance document titled Accepting Mobile Payments with a Smartphone or Table in 2014. This document explains how PCI-validated P2PE can help with a merchant’s mobile security responsibilities under PCI DSS (Data Security Standard).

The security recommendations for mPOS are the same as for traditional POS: PCI-validated P2PE, tokenization, and EMV. With most modern smartphones and tablets, merchants cannot take a Defend the Fort approach with mobile payment acceptance since they cannot control the mobile hardware, apps, connectivity or operating systems. There are simply too many players that come together to make mobility happen for a merchant to reliably secure the solution. In the mPOS environment, merchants must employ the Devalue the Data approach to protect the card data before it reaches the mobile device. A PCI-validated Mobile P2PE Solution provides this protection for merchants as well as mPOS and payment app developers.