Encryption is a hot topic in payments today. But it’s not an
entirely new concept. Human beings have been using forms of cryptography to
protect sensitive information for thousands of years. While today’s payment
encryption technology, particularly point to point encryption, is a far cry
from earlier rudimentary methods of securing information, the end goal remains
the same: render sensitive data non-sensitive so if it is stolen, it cannot be
used.
One of the most common misconceptions about encryption is
that it is the be-all end-all for protecting cardholder data—that having an
encryption solution in place is enough to protect a business from data theft.
The fact is that criminals continue to find ways to breach merchant systems and
access account data.
Credit card security and fraud protection is a complex and
detailed discipline that requires dedication and focus beyond encryption
technology. The type of encryption, where the encryption happens, and how the
encryption keys are managed are all considerations in the effectiveness of a
particular solution. (An encryption key is used to both encrypt and decrypt
data and is designed using a particular algorithm to ensure that each key is
unique.)
Good technologies that are implemented poorly result in a
false sense of security. An effective encryption solution not only relies on
encryption keys, but also secure device requirements; key management that is in
line with security requirements and best practices; properly implemented,
trusted applications; and device deployment operations.
Why encrypt credit card data?
There are two main reasons for a merchant to implement a
payment solution that includes encryption:
Although there are many encrypted payment solutions
available, they are not all the same. The two most common options for small and
medium sized businesses are non-validated, and PCI P2PE. Let’s take a look.
Non-validated encryption solution
A non-validated encryption solution is “risk reducing”
against attackers, but it does not reduce the merchant’s scope of PCI
compliance. This is because although data is encrypted, the hardware where the
solution resides is not defined as secure by the PCI PTS-PIN, and the handling
of encryption keys is not aligned with security best practices and standards.
This means merchants and hackers could potentially have access to the
encryption keys, and ultimately access to clear cardholder data.
One of the reasons smaller merchants often go this route is
because non-validated solutions offer the most flexibility in choice of credit
card hardware and payment applications. They can also be less expensive than
PCI P2PE solutions. But more often than not, a merchant is simply unaware that
their payments solution uses a non-validated encryption solution in the first
place. Mag stripe readers, ROAM readers, Square dongles, keyboard emulators,
and non-EMV enabled readers are all examples of on-validated solutions.
PCI Point-to-Point Encryption (PCI P2PE)
A PCI P2PE solution is PCI certified and offers the most
benefits for most SMBs. With PCI P2PE, the service provider bears the
responsibility for adhering to a full range of PCI mandates including secure
hardware and application management; encryption schemas; the decryption
environment; and encryption key management including the key injection
facility.
Although the merchant still has to adhere to a required set
of PCI mandates, their scope of compliance is much smaller with a PCI P2PE
solution. Merchants using a PCI P2PE solution qualify for a simpler PCI DSS
Self-Attestation Questions (SAQ) that is significantly shorter, and they
benefit from the confidence that the solution they are using is PCI compliant.
While PCI P2PE provides merchants with risk reduction, PCI
scope reduction, and even a shortened SAQ, it is also more restrictive than
other solutions. Merchants must use the device, payment application, P2PE
schema, and key injection facilities that were certified. Otherwise, they won’t
get the benefit of the SAQ P2PE.
In addition, they must accept Merchant P2PE Implementation
Responsibilities in order to be eligible for the SAQ P2PE. This includes
implementing device management policies, ensuring the devices are not tampered
with and are kept secure when not in use.
Due to the complexities and restrictions with PCI P2PE and
the associated certifications, there are only a handful of P2PE solution
providers. The list of providers is expected to expand, however, as the
standard is rewritten in order to gain more adoption among solution providers.
Questions to ask
When evaluating your options for payment solutions that use
encryption, here are a few questions to ask yourself:
Do you have the time and resources to maintain a P2PE
compliant environment? If you are not regularly completing security check-ups
and task checklists, PCI P2PE may not be the right way to go.
Are you able to get the hardware you want and work with your
preferred processor? Not all devices are certified to meet P2PE standards, but
more options are becoming available.
What is your budget? Cost can be a consideration, since a
PCI P2PE device is generally more expensive than a non-validated device. But
these costs can be offset by the benefits of reduction in compliance scope and
risk.
Although it is impossible to remove all risk from any
payment processing environment, implementing secure processing technologies
like PCI P2PE offers greater protection and ease of meeting compliance
mandates. To learn more, check out these steps to more secure payment
solutions.
#awepay #awesomepayment #paymentssolution #Payout #friction #compliance #risk #NPFMalta #banking
#blockchain #cryptocurrency #AI #mobilebanking #regulations #PSD2 #GDPR
#businessevents #nextgenpayments #money #investments #bigdata #IoT #bitcoin
#MachineLearning #tech #crypto #digital
Comments
Post a Comment