P2PE’s role with merchants shifts after EMV
Point-to-point encryption (P2PE) advanced with the Payment Card Industry data security standard's updated guidelines in 2015, but the technology has not held the spotlight much since then.
Attention quickly moved to the EMV liability shift deadline in October 2015, and PCI-validated P2PE never achieved the momentum some had predicted. However, it still plays a key role that experts say may be misunderstood.
The problem is that merchants are exhausted by the various security pressures they face, and many opted to choose one technology at the expense of the other, which some observers say is a mistake.
“Fraud—from the angle of individual card fraud cases—seems to get all the love from merchants these days because it carries a sense of immediacy and urgency, and that’s causing them to overlook the big picture of security," said Ruston Miles, co-founder and chief innovation officer at Bluefin Payments Systems, a longtime supplier of P2PE.
Advances in tools to fight card fraud in stores and online that leverage artificial intelligence and machine learning have begun to grab attention, which Miles said could divert merchants away from protecting data at a core level at a time when merchants face a rise in malware attacks.
“Merchants are putting too much faith in EMV and card controls, without realizing that minus P2PE, they may be increasing their overall risks from data that crooks may intercept and compromise in myriad ways,” Miles said.
Merchants can’t be blamed for putting a higher priority on EMV, though, experts say.
EMV was designed to attack counterfeit card fraud, but is also reduces the urgency to protect that data with encryption.
“While it is true that EMV data is transmitted in the clear, the use of the dynamic cryptogram means that even if the data is compromised it cannot be replayed, which has diminished the case for P2PE at the POS,” said Al Pascual, a senior analyst at Javelin Strategy & Research.
For merchants with EMV in place, fraud liability for many point of sale transactions now shifts to the issuer, which is not the case for e-commerce transactions where fraud levels continue to rise, Pascual noted.
“Merchants now are logically spending more time, energy and resources figuring out how to prevent online fraud from getting any worse,” Pascual said.
But what merchants may be overlooking is the fact that chip-enabled transactions are still only about half of all U.S. transactions, said Randy Vanderhoof, executive director of the Secure Technology Alliance, a nonprofit cross-industry security organization.
EMV, the need to battle rising online fraud, and P2PE are all competing for the same limited merchant time and resources, he said.
“It shouldn’t be a choice for merchants doing one versus another, but they should have a migration plan that encompasses all three. All merchants must have EMV and most already are working on managing online card fraud, but if there’s no EMV in place, merchants must consider investing in P2PE now,” Vanderhoof said.
Bluefin notes that it is hard to convince merchants to look beyond protecting the point of sale.
“Merchants are focused on attacking fraudulent transactions one by one, but the majority of breaches are actually originating at brick and mortar merchant locations, and these could be prevented for everyone’s benefit if P2PE were deployed,” Miles said.
Because P2PE typically is sold to merchants as a separate service via processors, many smaller and midsize merchants tend to see data encryption less as a direct solution, Miles noted.
As merchants proceed with the rollout of EMV and gradually get a better handle on controlling online fraud, P2PE may take on a different role, Miles speculated. “Merchants may eventually come back to realize its role as an overall payment card security approach,” he said.