Thousands of rank-and-file merchants are gaining access to validated point-to-point encryption (P2PE) for protection from malware within payment terminals, an attack vector that other popular security technologies might miss.
Pushed aside earlier by higher-priority merchant payment technology concerns including the U.S. EMV migration and skyrocketing online fraud, P2PE is now taking a bigger role in merchants' risk-management strategies as many payment gateways adopt it, according to Bluefin, a key third-party provider of the technology sanctioned by Payment Card Industry Security Standards Council.
P2PE was highlighted way back in 2009 as a possible answer to the massive data breach at Heartland Payment Systems (now a unit of Global Payments), an incident attributed to malware that went undetected despite the processor's belief that it was compliant with the Payment Card Industry data security standards. Other security methods such as biometrics and EMV have since taken the spotlight, but those systems still have narrow use cases and would not have protected against a malware attack.
And as merchants complete their EMV migrations, they are taking a step back to assess which parts of their operations remain vulnerable.
Bluefin Payment Systems now has 51 P2PE partners, up from just three in 2016, marking a dramatic increase in adoption since the Atlanta-based firm first made its solution available in 2014.
“There’s still some EMV work left to do, but for the most part the chip-card migration has run its course and now merchants are looking to their payment gateways to get protection from malware by way of P2PE integration,” said Ruston Miles, Bluefin’s co-founder and chief innovation officer.
Major payment gateways and processors using Bluefin’s services are CyberSource, BluePay, IBM Payments Gateway and USAePay, and in turn these providers are making P2PE technology available to hundreds of thousands of merchants using their services, Miles said.
Currently there are about 45 different P2PE suppliers, and Bluefin claims 54% of the available market of payment processors and gateways, Miles said.
“It’s been a slow roll to get partners on board since the beginning, but now we’re really beginning to pick up momentum, as more merchants ask for malware protection at the core level of transactions,” he said.
Merchants already have spent tens of millions of dollars working to adopt EMV to help to block counterfeit card fraud, as well as adding layered security tools to block e-commerce losses from rising levels of online fraud exacerbated by major data breaches like the one at Equifax.
But 90% of all the point of sale breaches involving card data are due to malware, which P2PE can protect against, Miles said.
“Malware covers a lot of things, ranging from RAM-scrapers to ransomware and viruses, but essentially it’s malicious software that gets into the stream at the terminal level and listens to payment data,” he said.
P2PE helps by encrypting payment card information at the point of sale, preventing clear-text cardholder data from being present in a merchant’s system so thieves and hackers can't intercept it or use malware to trigger data breaches.
Sold by third parties whose products are validated under guidelines covered by the Payment Card Industry data security standard, P2PE is designed to complement EMV and tokenization. Adopting P2PE also significantly reduces merchants’ PCI assessment requirements, which is a key selling point for merchants looking to simplify compliance.
Based on present momentum, Bluefin expects to have close to 100 P2PE partners a year from now, which will go a long way toward its ubiquity, which will be a major step forward in conquering malware attacks at the point of sale, according to Miles.