Best Practices in Securing the Point of Sale
In the wake of several high-profile data breaches, major merchants are re-focusing on how to secure their point of sale systems. There are many tools in the data security toolkit, but two of the core solutions gaining prominence are point-to-point encryption (P2PE) and tokenization, which in combination protect data-in-flight and data-at-rest, respectively.
P2PE encrypts cardholder data at the point of entry, which prevents cleartext data from reaching the cash register or back office systems. Implemented properly, P2PE not only reduces the chance of a data breach but it also significantly reduces a merchant’s PCI compliance burden (from 288 requirements to only 18).
Encrypting payment card data may seem old hat but Target and other recent breaches show that the details matter. In these cases the card data was captured by the terminal, stored unencrypted in short-term RAM memory, and then encrypted by software before being transmitted out of the terminal. Hackers remotely installed “RAM scraping” malware that was able to copy the cleartext card data in that moment before it was encrypted. P2PE uses hardware encryption to secure information at the card reader interface before any data is stored or transmitted, even within the POS terminal.
Though the PCI Council laid out specifications for P2PE about two years ago, it remains a somewhat uncommon offering on the market. There are only a handful of PCI-certified P2PE solutions, including Bluefin and FreedomPay in the USA as well as The Logic Group and EPS and Handpoint in Europe. Ingenico and VeriFone also offer a solution for their terminals. A number of additional “P2PE style” solutions exist with similar functionality but because they lack PCI certification, the impact on PCI compliance requirements is unclear.
Tokenization is a complementary tool to P2PE. Tokenization replaces the payment account number with a reference number to protect data-at-rest. The best solutions create form-preserving tokens that look like PANs to avoid undermining any business logic in merchant systems.
In the merchant acquiring context, tokenization means the acquirer (or a gateway) stores the payment account number in their validated PCI DSS compliant system and provides a reference number back to the merchant. When used in combination with P2PE, a merchant’s system remains out of scope for PCI but use cases such as split settlement, express checkout, and automated returns are still possible. Most U.S. acquirers and gateways are providing this type of tokenization today. Tokenization tends to create stickier merchant relationships because converting tokens can be a switching barrier, though some players like Braintree promise data portability rights, which we expect to become a norm over time.
A similar but early stage solution is tokenization provided by the card network, where the permanent payment account number is replaced with a temporary or limited-use token that can actually be used to process a payment. This type of functionality underpins Apple Pay today and could be used to secure a merchant’s cards on file in the future but, for now, acquirer tokenization is the tool merchants are using to descope their systems and limit data security risks. That said, over time, we do see potential competition between acquirer and network tokenization, which acquirers should consider in their product strategies.
As data security continues to be a concern for merchants, solutions such as encryption and tokenization will move from nice-to-have ancillary services to must-have core products. Acquirers should be focused on adding these solutions to their product set in 2015, either through internal development or partnership with some of the existing solutions in the market today. Those that do will be able to realize new revenue streams, lower merchant attrition, and a more secure merchant base.
For more information, please contact Ben Brown, Senior Consultant, specializing in Credit Card Issuing and Payments Innovation, firstname.lastname@example.org.
To read the rest of this article, please subscribe to