The Straight Scoop on EMV, Tokenization and P2PE

Data security breaches have had heads spinning throughout the payments ecosystem as merchants sort through a variety of options designed to keep cardholder data safe. While it is now clear that there is no “silver bullet” to be found, there is merit in having a layered approach to security and fraud that includes point-to-point encryption (P2PE). Bluefin’s CEO John Perry and Chief Innovation Officer Ruston Miles sat down with MPD CEO Karen Webster to chat about the broad topic of payments security, the ROI of P2PE solutions and why payments security needs to come in layers.

“The truth is that breaches will continue to occur, as there are smart, resourceful people out there who are committed to fraud,” said John Perry, CEO of Bluefin Payment Systems.

And with that, the discussion on all things security, fraud and keeping cardholder data secure began.

Perry, his Chief Innovation Officer, Ruston Miles and Karen Webster got into an in-depth discussion about that topic that had participants listening intently until things wrapped up 45 minutes later.  Here are a few of the highlights.

The Breach News Will Not Go Away

The conversation about data security has only intensified since the famous data breaches at retailers like Target, Neiman Marcus, and more. They might have been the most visible but they surely weren’t the only ones. Statistics show that in the first quarter of 2014, there were nearly 200 million records stolen, which equates to 93 records every hour between January and March. Perry said that only one percent of these breach merchants were secure, meaning they had “strong encryption, key management, or authentication solutions being used to protect the data.”

The Cost is more than Just the Breach Itself

According to the 2013 Data Breach Study by Ponemon Institute and Symantec, the dollar amount per record lost is about $188. Thus, for a small, single-location merchant processing 6,000 unique transactions a year, the data breach risk is $1,128,000. For a mid-size, 5-location merchant processing 120,000 unique transactions a year, the cost escalates to $22,560,000 – literally enough to bankrupt a business.

But that’s just the “hard costs,” there’s a greater cost to be factored in as the consumers’ trust in the brand diminishes, as well as their trust in Visa and MasterCard.

PCI Validated P2PE Protects POS

If merchants miss a step in keeping their POS systems protected, “their entire organization is at risk and the investment they’ve put into security is moot,” said Ruston Miles, Chief Innovation Officer at Bluefin. P2PE encrypts the data before it even gets to the merchants’ POS, and if the merchant or service provider doesn’t have the means to decrypt it, that merchant may not meet PCI standards.

P2PE actually encrypts the data at the cardholder swipe. The P2P process creates million of keys so that each piece of data has a unique key – which is important since there are millions of keys, meaning that it is infinitely harder for it to be compromised. Only then is the information sent on to the POS and then through the network. The P2PE solutions provider then decrypts the data through a hardware system, and then sends it on to the card processor who tokenizes the data and sends that token back for the merchant to later use.

The general stance on this sort of P2PE solution among the payment networks is that it is valid for reducing the PCI scope. The standard set will not be reduced, and “no one wants to go through the effort to meet it,” said Miles.

This was an area of opportunity that Bluefin set out to explore – alleviating the burden, so that retailers could secure cardholder data and remain PCI compliant. Bluefin is currently working with more than 50 large enterprises in North America to provide its point-to-point encryption (P2PE) solution, which was recently validated by the PCI Council in March. Miles commented that as merchants have become more compelled by acquirers to be PCI compliant, they are looking at this solution more seriously.

P2PE May 13 2014There is No “Silver Bullet” in Payment Security

Payment security is a holistic approach. Security solutions like EMV, tokenization, and P2PE can work together – in fact, it really takes all three to protect a merchant, said Miles.

While EMV may be “the future,” there are things that can be done with P2PE today that cannot be done with EMV. Using just EMV, card numbers and personal data can still be leaked.

“You can’t just say ‘We’re just going to protect the card and leave the POS wide open,’ you need to protect both,” said Miles. And then there’s tokenization, which allows merchants to store tokens for each transaction, and use that token instead of the original card data.

“It really takes all three. Tokenization protects the storage of cards, EMV fixes the card using a programmable chip, and P2PE protects the transmission and acceptance of cards,” he said.

PCI-validated P2PE: What is the ROI?

Going back to that mid-sized, 5-location merchant whose data breach risk of cost was more than $22.5 million in a year, Bluefin projects that the total cost to its P2PE for that same retailer would be $12,473 in the first year while at the same time reducing PCI scope and assessment from 288 questions to 18 questions. This reduction is the result of eliminating the need for an audit of a merchant’s registers, software and middleware, since cardholder data is encrypted using P2PE.

To listen to the full broadcast, click here.