While PCI compliance is vital for beating card payment fraud, end-to-end encryption is the real answer, according to VeriFone marketing director Tony Saunders
The theft of credit and debit card payment data is a lucrative business – and it’s booming worldwide. A data breach puts a retailer’s revenue and brand reputation at risk. In the USA, payment data breaches have resulted in fines and payouts in the millions, not to mention high-profile and embarrassing lawsuits.
While the latest Payment Card Industry Data Security Standard (PCI DSS) guidelines go a long way toward ensuring payment security, cardholder data can still appear “in the clear” during a transaction. If a fraudster is sophisticated enough to take advantage of this vulnerability, then a breach can still occur. Many organised criminal gangs now use specially written customized Malware to infiltrate the transaction process and often the retailer will not even be aware that a breach has taken place.
To minimise the risk of attack a merchant must close entry points across the entire transaction chain. End-to-end encryption, starting from the point of PIN entry renders intercepted cardholder data useless to would-be thieves.
The transaction process is complex; often involving a variety of devices, channels, systems and protocols. For end-to-end encryption to succeed, there are a host of technical challenges that must be overcome, without reworking the entire POS and back office infrastructure. The answer is securing the card data at the true point of entry and closing the security loop with real-time monitoring and definitive mitigation.
To effectively secure cardholder information from lapses in PCI DSS compliance, all primary account number (PAN) and magnetic-stripe card track data must be encrypted at the PED, from the instant the card is inserted into the payment terminal, until the transaction is received by the processing host. Obviously, it is also in the retailer’s best interest to achieve this without incurring additional processing overheads; creating network impact or POS and application software changes.
It is important that all data encryption takes place within a Tamper Resistant Security Module PCI PED approved payment device before it reaches any payment application. Encryption that takes place at the application level is too late and presents an opportunity for card data intercept.
For example, In VeriFone’s VeriShield Protect solution, (see graphic above), exclusive end-to-end, format-preserving encryption effectively shields the retailer from the details of the consumer’s card account data, so the retailer is never in possession of the data.
Format-preserving encryption eliminates the need to decrypt the data as it flows through a retailer’s systems, or to redesign the POS applications to deal with a new format.
Many industry experts are certain that end-to-end encryption is the next step in the battle against transaction fraud in the UK.
The ultimate goal is that retailers, acquirers, and processors have assurance that all data is secure from the moment a card is read.