Protecting Your Business Beyond EMV, Chip and Pin

By Chester Ritchie, SVP, Worldpay US 

The payments industry has been abuzz with news surrounding the EMV liability shift that occurred on Oct. 1, 2015. While preparing to transition to EMV-compatible technology should remain a top priority for merchants, the often neglected, broader approach to payments security is something businesses of all sizes should be discussing as well.

In addition to EMV, cloud-based security solutions help businesses guarantee that all bases are covered by adding an extra layer of protection for cardholders. Most of these solutions ensure that the cardholder’s information never touches the merchant’s servers, placing the responsibility of data security on the payments processor rather than the merchant. Combined with EMV, these features will help protect your business from fraud. 

Tokenization

Tokenization is the process of converting cardholder data into a unique string of digits, or a token, that can only be used for the transaction at hand. To help visualize this process, think of your 16 digit credit card number being tokenized into a list of 16 random letters. If a hacker were to intercept this token, it would be useless because it only holds value to the payment processer that houses the card number. By masking the actual credit card number with a token, merchants and payment processors minimize account visibility and reduce the risk of breaches occurring.

End-to-end encryption

End-to-end encryption, often utilized in tandem with tokenization, secures cardholder data throughout the entire transaction. E2EE captures data at the earliest possible point in your POS system and uses an algorithm to create an encrypted version of the data that is immediately transmitted to the payments processor. After decrypting and authorizing the data, the processor re-encrypts the data and transmits it back to the POS to complete the transaction. By bypassing the merchant’s servers completely, E2EE guarantees zero exposure of plain text information, which protects both customers and retailers from attacks.

Vaulting

Vaulting mechanisms are used to establish recurring electronic payments, usually on a retailer’s website. With a vault in place, customers enter their credit card information when completing their initial transaction and select the “remember me” option to store the information for future transactions. Vaulting shifts the responsibility of securing data from the retailer to the payment processor, making the business more secure and providing a seamless checkout for consumers. Vaulting is an essential feature to have in place for online transactions because businesses cannot authenticate EMV cardholder information in person.

PCI compliance

Any organization processing, storing and transmitting credit card information is required to follow security standards set by the payment card industry to protect cardholder data. These standards minimize liability by establishing industry-wide security standards enforced on four levels, based on the transaction volume processed by each merchant. Therefore, depending on its size and the volume of transactions, a retailer may be subject to a level of PCI compliance beyond the minimum standard.

As the new global standard for payments security, EMV will affect consumers across all industries. Although EMV will ensure more efficient payment authorization, it cannot protect the full spectrum of your business’ operations. By incorporating cloud-based solutions into your security strategy, you can relieve the burden of securing and storing customer data yourself.

About the Author

Chester Ritchie is SVP of Worldpay US, a leading global payments technology and services company that offers services across the entire payments value chain and in any environment: in-store, online and via mobile devices. To learn more about Worldpay and how to prepare for EMV and beyond, visit www.worldpay.com/us/emv.

EMV – Chip & Pin is the hottest topic right now in Point of Sale.  Here are some other articles that we recently published: