Security, especially for Bankcard Processing, is a high concern for every retailer – whether they know it or not. For technology companies, it is a constant battle to stay one step ahead of the hackers and thieves. One of the largest security holes have been the interception of network traffic using tools like packet sniffers, a common hacking tool that watches for credit card information across networks to steal cards; 16 digit numbers with expiration dates are easily recognizable. The networks in question include the external networks (DMZs – Demilitarized Zones or public connections) and vulnerable internal networks that remain the responsibility of retailers – both big box retailers like T.J. Maxx as well as our favorite independent retailers (see the video) who have far fewer resources available to protect their assets from such security breaches and complex industry and government regulations.
So why should a retailer care?
If you haven’t already, you need to take the time to watch this video.
The antidote to having credit card data extracted from the communications and credit authorization channel by methods like packet sniffing is a high level of encryption of the data being sent based upon complex algorithms (encryption) that only the sender and receiver could possibly interpret. The highest encryption should prevent access that even the smartest hacker with the fastest processing computer in the world can’t hope to compromise. Well, that is the hope – the hackers hope they can crack the code more quickly than the honest folks of the world can foil them. Unfortunately it is a never ending cycle that requires the attention (and expense) of retailers as well as their bankcard service providers.
While we are confident in our software’s current PA-DSS certified protection level within a secure network, our company has proactively (two years before the PCI certification expires) taken the next step to protect our retailers with the release of the next generation of bankcard processing that takes advantage of Point to Point Encryption technology.
The newest credit card processing devices use a new technology called Point to Point Encryption (P2P Encryption or P2PE), or sometimes End to End Encryption (E2E Encryption or E2EE). The key improvement is that the cardholder information is immediately encrypted by the PIN Pad or Card Reading device and is only unencrypted by the bankcard processor. Cardholder information is never available in the software at any point between the swipe (or manual entry) and the bankcard processor – not even through an integrated point of sale software solution. The point of sale software only receives a token for that transaction that can’t be tied back to the customer’s credit card information.
But that might still not be enough!
If a simple Magnetic Stripe Reader is used for P2P Processing, manual card entry must still be done through the keyboard which means the PC is still exposed to threats like key logging as the card is being entered. Which means that the network still needs to be secure to be PCI-DSS Compliant.
A more secure solution is to use a PIN Pad so that manual entry occurs within the secure device that is encrypting the information and is never passed through the computer or even entered using the keyboard. This potentially removes the entire network from the scope of the PCI-DSS and the PIN Pad and bankcard processor (the two “Points” in P2PE) are communicating and all traffic between them is encrypted. In my opinion, the price of a PIN Pad is a small price to pay for this added security.
Still not enough?
But none of this relieves the retailer from the need to remain diligent and remain PCI-DSS Compliant: if a company takes credit cards they need to be PCI-DSS Compliant as the regulations go beyond just how cards are processed. A good example of how even the most secure environment can be compromised is by skimming from within the store – where someone has planted their own card reader or even adapted the compliant card reader. Skimming, by the way, is one of the things I worry about the most with mobile credit card processing – just how much do I trust the young geek with a blue shirt on whom I just handed my credit card to at the Apple store?
Every factor that is removed from the trust channel equates to lower risk, lower cost and higher consumer confidence. Removing credit card information completely from the the computer network can significantly enhance a retailer’s security at a much lower cost with less complicated security requirements.
For a great recap of the different processing options of P2PE, visit Tech News World’s great post.
What does this mean to Merchant Plus! clients?
Our new P2P Encryption technology offers a direct cost savings as well as indirect security and loss prevention benefit to our clients. The current PCI-Data Security Standards require all retailers to meet a complex setup of security standards (the Payment Card Industry Data Security Standards) but these rules are ever evolving. For example, all the credit card capture devices our clients currently own (from keyboard Magnetic Stripe Readers or MSR’s to the Ingenico enTouch 1000 and i6550) are becoming obsolete. (The Ingenico enTouch 1000 is no longer certified and the Ingenico i6550 certification expires on 4/30/2014). We will continue to support the current products, but the bankcard processors may not. The replacement solutions incorporate the latest Point to Point Encryption technology – ahead of time!
For any retailer to be PCI-DSS Compliant they must assure that everything from their internal security procedures to their systems, networks hardware, software and all devices involved in or connected to credit card information is secure and properly protected. Yes, it means the retailer is responsible not only for their own policies, practices and procedures, but also the proper implementation and support of every piece of technology involved in processing payments. Point to Point Encryption represents an important step in protecting retailers by minimizing the points of contact that represent liability exposure. The more touches that can be removed, the more secure a retailer is.
Bankcard security is must and regularly check your account. and data details of your card.