In November 2013 newspapers reported that Target stores had been attacked by hackers who had stolen payment data including names, addresses, and phone numbers from around 40 million credit and debit cards, leaving the retailer’s customers open to fraud and identity theft. This was followed in 2014 by Staples’ announcement that 1.16 million cards had been compromised in a data breach, and shortly after that, by Home Depot’s announcement that a staggering 56 million consumers had been exposed by hackers accessing their systems.
These high-profile events raised public awareness about the dangers of data breaches, but only pointed to the scale of the problem. The truth is that enormous retailers are just the tip of the iceberg: hackers are targeting any enterprise that accepts payments. In the first quarter of 2015, more than 208 breaches were reported, a rate of more than two per day, with small and medium-sized enterprises the targets more often than not.
Clearly the consequences for consumers can be catastrophic. For the compromised businesses, however, the consequences can be a death sentence. Operationally, reacting to limit the extent of a breach, making good on the liability to compromised customers (in Target’s case, they are looking at a $10 million settlement in a class action law suit alone), and taking action to publically demonstrate the steps that have been taken to ensure that such a catastrophe can never happen again, can cost millions and detract from day-to-day operations for months. More than this, however, are the consequences for a company’s brand, reputation, and valuation. Inevitably, heads have rolled with c-suite firings and other consequences for leaders of the affected companies.
The result is that data security—particularly for consumer payment data—is now a priority for business, government, and consumer groups. New laws and standards have been passed and more are expected. Significantly, the payments card industry has begun to get its house in order, with new voluntary standards, new levels of cooperation, and the fielding of new technologies. A body called the Payment Card Industry Security Standards Council (PCI SSC) is responsible for setting and promulgating data security standards. One change that everyone will notice this year is that the U.S. is joining the rest of the developed world by replacing magnetic stripe cards with microchipped “EMV” cards. Chances are high that you have already received a new credit or debit card containing an EMV chip on the front of the card. Financial institutions are encouraging retailers to adopt EMV by stipulating that they will not honor guaranteed payment for counterfeit card fraud if the recipient of a payment does not have an EMV-enabled point-of-sale system. Different card networks have set different dates for this “liability shift,” with October 2015 being the time merchants and banks are expected to have complied (of course many of them will not meet this deadline, but that is another story).
The challenge here is that EMV does not protect consumer data from hackers intent on stealing it from retailers. EMV is principally intended as a counterfeit card protection. It is, however, being implemented as part of a broader strategy that includes Tokenization technology—this switches consumer data for worthless “tokens” when stored in a merchant’s system—so hackers cannot access anything of value.
But even Tokenization does not completely protect point-of-sale systems. This is particularly concerning when one considers that up to 90 percent of the data breaches in the first quarter of 2015 were a result of point-of-sale malware—as were the breaches at Target and Home Depot. In June of this year, restaurant/grocery store Eataly NYC was compromised by POS Malware. Shortly afterwards the FBI warned of a new form of POS Malware called “Punkey” which can infect any Windows-based POS-system and act as a “memory scraper,” identifying and capturing consumer data for subsequent exploitation.
Though there is no doubt that EMV cards and Tokenization both have a role to play in securing consumer data, it is clear that the “Killer App” for data security must be the technology that can protect the point of sale—so-called P2PE, or point-to-point encryption.
P2PE protects data moving through the point-of-sale, encrypting it from the moment the card is swiped or dipped until the transaction is complete. In short, P2PE devalues consumer card data through encryption, making it unreadable to Point-of-Sale (POS) Malware.
In August, the Payment Card Industry Security Standards Council updated its standard for P2PE to make it more merchant-friendly in order to encourage adoption and to protect more consumers. The new standard, PCI P2PE Version 2.0, allows merchants to build and manage their own P2PE Solution that protects their retail and call center locations. A “merchant managed P2PE Solution” can be either homegrown or comprised of components from PCI-validated and listed vendors.
Though P2PE holds, perhaps, the key to protecting consumer payment data, all three technologies—EMV, Tokenization, and P2PE—are essential aspects of what the payment card industry calls the “secure-all-channels” strategy, a holistic approach to manage security and mitigate risk.
In conclusion, any business that accepts consumer payments (including retail, restaurants, healthcare, sports, financial services, and others) should understand the layers of protection required for consumer payment data, so that they can negotiate sensibly and proactively with their payment service provider to protect their consumers and their operations. The consequences of getting it wrong—as we have seen—can be catastrophic. As hackers become more sophisticated, and more and more businesses protect themselves properly, the ones that have yet to secure their systems will become the criminals’ prey.
Ruston Miles is the Chief Innovation Officer at Bluefin Payment Systems where he specializes in developing secure payment gateway technologies. As Chief Innovation Officer, Ruston serves as a payment technology evangelist, speaking all over North America on payment trends and technologies, educating the business world about the highest levels of payment security.
Ruston is a PCI Professional (PCIP), Certified Payment Professional (CPP), Certified Internet Business Strategist (CIBS), and an active participant with the PCI Security Standards Council.