Payments Industry Leaders Focus on Reducing Risk and Liability

Angie Hipsher-Williams
| 1/7/2016

Is it wise to focus IT and security efforts and resources on EMV and P2PE?

Payment companies face numerous challenges in risk management and compliance-related concerns. In some cases, the liability for losses stemming from fraudulent transactions is shifting due to new technologies and security measures, such as EMV technology and point-to-point encryption (P2PE).

The choice of whether to implement these technologies and security measures presents a dilemma of “pay me now or pay me later” in order to both maintain compliance and achieve a sustainable return on investment. The pressure of the liability shift from card brands to organizations that accept credit card payments has issuers and merchants alike considering changes to their consumer-facing products. At the same time, the liability shift is requiring processors, hardware manufacturers, and software developers to work diligently to be able to provide and support the services and solutions needed to implement and maintain these channels of card acceptance.

In a world where past significant breaches resulted in huge losses of data that had been gathered from point-of-sale (POS) terminals or solutions, it does make sense to require the industry to focus on securing card information at the physical point of initiation (POI). However, there are larger control issues in question when an attacker is able to gain access to card data obtained at the POS.

These types of POS breaches stem instead from missing security control or inadequately managed systems that are ineffectively implemented, maintained, and monitored. Whether the control is the lack of appropriate vendor restrictions and monitoring, lack of appropriate segmentation of systems on the network, or inappropriate access controls allowing escalation of privileges, each control points to one common weakness: The thief is able to get to the data that is supposed to be “buried” on a network.

I recently attended the Money 20/20 conference, where 100 percent of the focus was on payments and the future of the industry. The buzz around many of the breakfast and lunch tables was on EMV and P2PE. Conference participants were asking questions such as, “Is the U.S. really gaining anything by implementing technology that has been in place in Europe for a decade?” and “Is P2PE really going to pay off when the majority of our transactions are online?” and “Why didn’t we move to chip and PIN instead of chip and signature?” These are all valid questions. So let’s take a closer look.

EMV was originally an abbreviation for “Europay, MasterCard, and Visa,” the three companies that developed the chip card technology in 1993. The technology enables what are commonly referred to as “chip and PIN” or “chip and signature” transactions. EMV is:

  • A microprocessor that’s embedded in the payment card and used to authenticate a transaction when the microprocessor is inserted into an EMV terminal
  • A technology that more securely holds the equivalent of magnetic stripe track data
  • A technology that is harder for thieves to re-create or replicate than a magnetic stripe is

EMV is not:

  • A silver bullet to satisfy any payment card industry (PCI) requirements; nor does it reduce PCI scope
  • A deterrent for thieves who want to grab cardholder data that is being passed in the clear or stored in the memory of POS terminals
  • An answer to the problems of securing e-commerce and other card-not-present transactions

P2PE stands for “point-to-point encryption” solutions. It’s sometimes referred to as “end-to-end encryption” or “E2EE.” P2PE is:

  • A third-party solution that encrypts cardholder data from the POI card swipe or dip to the third party’s secure decryption environment
  • A way to create a secure communication link for card-present transactions to limit exposure of sensitive information transmitted on the merchant’s network
  • A solution that, if implemented correctly, can reduce the scope of a PCI compliance assessment

P2PE is not:

  • A requirement to be PCI compliant, but is typically used in conjunction with tokenization to do away with storage of actual primary account numbers (PANs) and other cardholder data
  • A cheap solution
  • An answer to the problems of securing e-commerce and other card-not-present transactions

Although the answer to PCI compliance, reduced liability, and fraud costs is not likely to be EMV and P2PE, these technologies are steps in the right direction, especially when both are implemented. Because the card brands chose to put in place deadlines for the liability shift (with those for unattended terminals yet to come), U.S. payments organizations have started to put plans in place to move to EMV slowly. However, without a deadline for the removal of magnetic stripes from issued cards and a requirement for a PIN with a chip transaction instead of just a signature, the U.S. payments industry still will be behind the eight ball for a long while.

P2PE will help merchants who struggle with segmentation and PCI requirements to move more quickly to an environment that is more secure for card-present transactions. It also will reduce the number of merchants who are storing cardholder data with no real business need. And P2PE will provide more time to focus on managing vendors and helping to ensure that employees are educated on the business processes that are appropriate for handling cardholder data (for example, not placing PANs in notes fields of applications not intended to protect the data and appropriately managing paper with card numbers on it).

However, an important question about EMV and P2PE implementations remains: Will EMV and P2PE implementations divert the focus of IT and security resources from common attack vectors to the network, thus leaving card acceptance channels (such as e-commerce) increasingly vulnerable?