Layered Security: The Ultimate Defense Against Data Breaches
Author: Daniel Montellano, SVP of Strategic Business Development, Shift4 Payments
If data breach stats from 2017 are any indication, merchants are still the biggest target that hackers are aiming at. Fortunately, merchants who employ three important technologies can dramatically reduce the damage caused by a data breach.
How Bad Were Breaches in 2017?
Let’s start out with some numbers from last year. According to a 2017 Data Breach Report from the Identity Theft Resource Center (ITRC), merchants in retail, hospitality, and several other major industries (the “Business” category in the chart below) accounted for 55% of the year’s recorded breaches. All in all, there was a total of 870 data breaches reported from this category of merchants in 2017. Despite having slightly more than half of the total breaches, the “Business” category included 91% of all total records stolen, including credit and debit card numbers, passwords, social security numbers, etc.
Seeing these alarming stats and trends, merchants obviously need to do more to keep their customers’ payment information out of the reach of hackers. Accomplishing this involves going beyond the minimum requirements for Payment Card Industry (PCI) compliance and can’t be guaranteed by simply adding EMV chip cards into the mix.
Never Take Payment Security for Granted
Unlike the products you see on late-night infomercials, your payment security is anything but a “set it and forget it” matter. It needs to be implemented properly and maintained frequently to stay ahead of cybercriminals. The fact is merchants need to layer multiple security tools and technologies to ensure that the sensitive cardholder data (CHD) that passes through their system is protected throughout the entire transaction process: when it’s transmitted, processed, and stored.
Three existing technologies – EMV, point-to-point encryption (P2PE), and tokenization – make up what we call the payment security trifecta. Not only do they help merchants protect all the various points CHD enters into their environment, but they also make sure that the data that is stored has no value to hackers. Let’s take a deeper look at each of the components of this trifecta.
Card Authentication: EMV
The U.S. EMV liability shift began in October 2015 for most merchants. Supporters of the EMV migration – namely the card-issuing banks that are poised to save the most money due to the realigning of fraud liability – have claimed that it would protect merchants and consumers from falling victim to data breaches. Given the stats from 2017, this is obviously false. While EMV chip cards are more advanced than magnetic stripe cards, they aren’t a cure-all for payment data security, and they won’t protect merchants or consumers against breaches.
At the end of the day, EMV is a card authentication method – not a true security solution. However, it still plays a critical role in the payment security trifecta. That’s because it helps to prevent merchants from processing card-present payments with counterfeit, lost, or stolen credit and debit cards. When an EMV chip card is used at a card-present point-of-sale (POS) terminal, the microchip generates a dynamic code that authenticates the card and, if the consumer’s card was issued with a PIN, the cardholder as well.
While EMV is a step up from the magnetic stripe, it still only protects against a single avenue of crime: card-present counterfeit fraud. EMV has led to a reduction in this specific type of fraud, but it has only driven hackers and fraudsters to other areas, leading to a dramatic increase in card-not-present fraud. This is because EMV doesn’t protect against fraud in any card-not-present environments, such as e-commerce, the case of keyed-in payment information, or subsequent card usage like incremental authorizations in hotels or subscription billing at a gym. Another surprising result of EMV in the U.S. has been the sudden increase in chargeback fraud (aka “friendly fraud”), which occurs when consumers take advantage of merchants who aren’t EMV-capable by reporting fake chargebacks that the merchant is unable to dispute.
Secure Storage: Tokenization
There are risks inherent in the long-term storage of CHD, yet business needs – such as returns, recurring charges, etc. – often require this data to be stored. Payment data tokenization resolves these vulnerability issues, assuring protection for subsequent and incremental payment card usage in card-present environments, e-commerce, online reservations, and recurring billing scenarios. When implemented correctly, tokenization replaces payment card data with a random, unique, alphanumeric value – a token – that has no mathematical or one-to-one relationship to an actual card number. That way, if tokens were to ever get into the wrong hands, there would be no way for hackers to use them.
A well-designed tokenization solution enables merchants to safely access their customers’ transaction data for future use, including returns, card-on-file, and chargeback defense without the risk of actually storing that sensitive information.
Immediate Encryption: P2PE
Hackers are persistent in identifying and exploiting weaknesses in a merchant’s payment system. P2PE encrypts CHD from the moment a card is dipped, swiped, tapped, or keyed at a payment terminal, meaning the card data never actually enters the point-of-sale system. The role that P2PE plays in the trifecta is to remove the CHD from the merchant’s payment processing environment entirely, leaving nothing behind that is of any use to hackers and rendering fruitless the criminals’ attempts at stealing CHD from the point of interaction.
In card-present environments, including traditional and mobile points of sale, P2PE protects the merchant’s communication channels where tokenization cannot: between the payment device and the processing network. P2PE adds an additional layer of security and protects consumers’ payment information – and the merchant’s payment processing environment – from a variety of attacks, including malware infections in the POS terminal or system. Also, the scope of the merchant’s Payment Card Industry Data Security Standard (PCI DSS) assessments will be dramatically reduced because their payment systems won’t ever handle sensitive CHD.
“But it Wouldn’t Happen to Me, Right?”
Today’s merchants live in a world where data breaches are a real threat and increasingly common. From high-profile retailers and hotel chains to small businesses – no one is immune. Unfortunately, the honest question is not if a merchant will be breached, but when. However, there is one crucial detail to remember: a breach doesn’t always mean that any valuable information has to have been stolen.
In the event of a data breach, having a layered security strategy in place – with EMV, tokenization, and P2PE all working together – can make all the difference between a costly, damaging, public nightmare and simply a “close call.”