A Deeper Look At Payments’ Threefold Defense

We’re now nearly midway through 2015, and payment security still remains a topic that stirs up great concern and confusion across North America. And while there is seemingly unanimous agreement on the need for heightened security, there’s uncertainty about those who are tasked with actually implementing it. In a new report, Creditcall digs deeper into the pros and cons of P2PE, tokenization and EMV, how each will play a part in the next generation of securing payments, and how – without properly working together – they might just fall short.

We’re now nearly midway through 2015, and payment security still remains a topic that stirs up great concern and confusion across North America. And while there is seemingly unanimous agreement on the need for heightened security, there’s uncertainty about those who are tasked with actually implementing it. In a new report, Creditcall digs deeper into the pros and cons of P2PE, tokenization and EMV, how each will play a part in the next generation of securing payments, and how – without properly working together – they might just fall short.


P2PE

The world teems with tech-savvy criminals, jumping at their chance to intercept POS systems and scrape the memory from Windows machines. That’s where P2PE comes in, says Creditcall. It secures devices, apps and processes using encrypted data with cryptographic keys only known to the payment company or gateway from the earliest point of the transaction.

A challenge users have run into with P2PE is the management and sharing of those cryptographic keys. How does a key get into card reader? Through an algorithm called derived unique key per transaction (DUKPT), or “duck putt.” DUKPT generates a base key that’s shared with device manufacturers securely, where output cardholder data is rendered differently each time a card is swiped, making it impossible to reverse engineer the card data.

P2PE not only benefits the cardholders, but also the ISVs and merchants. PA-DSS certification was designed to address the problems created with cardholder data which is not encrypted.

What’s The Downside?

P2PE isn’t cheap if an organization wants to do it in-house. The secure cryptographic device needed to manage the keys, Hardware Security Module (HSM), can cost $30-40,000 – but when it’s built out, that total cost can jump to $100,000.

“You’re looking at months, if not years, of work in creating the proper environment for a P2PE solution,” says Creditcall. But ISVs can partner with companies that host this infrastructure, and take on the maintenance of it.


EMV

A powerful guard against credit card skimming, EMV also uses cryptography to create dynamic data for every transaction – and relies on an integrated chip embedded into the card.

What’s The Downside?

For ISVs in North America, says Creditcall, the biggest downside of EMV is the complexity of creating an EMV solution.

ISVs interested in certifying PINpads with a few processors face up to 22 months of costly work. And because there are a large number of pending certifications, processors will be backed up over the next few years.

image001

“It’s not impossible for an ISV to build EMV solutions in-house, but it’s difficult and unnecessary when there are plug-and-play EMV solutions available,” says Creditcall. These solutions include pre-packaged and pre-certified APIs that remove most of the need for research, the complexity and the burden of time and cost.


TOKENIZATION

The best way to protect cardholder data when it’s stored is using tokenization, a process which the PCI Security Standards Council describes as one where the primary account number is replaced with a surrogate value – a token.

For merchants dealing with recurring billing, future payments, loyalty programs and more, tokenization is critical.

What’s The Downside?

Tokenization doesn’t prevent malware that’s remotely installed on POS devices. It’s possible, as seen with recent retail card breaches, for data to be stolen before it is tokenized. That’s why it’s essential to group tokenization together with P2PE and EMV to offer “optimal security.”


To get the full details on the pros and cons of each method in the “Holy Trinity of Payments Security” and how ISVs can overcome the uphill battle of leveraging all three, download the whitepaper below.

Download Here