Point-to-point encryption may pick up EMV's slack
As payment providers wrap up EMV migrations, their focus has shifted to another security measure—point-to-point encryption (P2PE)—that could be even more crucial to securing payment data.
P2PE is the process of encrypting payment card data inside the point of sale terminal until it is decrypted by the processor. In this way, merchants are never in control of unencrypted data, meaning that if fraudsters hack into their terminals, the data is useless to them.
The reason this matters is EMV is strictly an anti-counterfeiting measure; it leaves several elements of the payment process untouched, and fraudsters are exploiting these gaps.
“EMV stole the show, but has nothing to do with protecting the card data as it moves through the payments system,” said Ruston Miles, founder and chief innovation officer at Bluefin. “Merchants have spent a lot of time migrating to EMV and now they’re going back and focusing on P2PE to eliminate the breach epidemic.”
Data breaches are an increasingly significant problem for the payments industry. The number of data breaches in the US has steadily risen since 2011, except in 2015 when the US suffered two fewer data breaches than it did the following year, according to data from Statista.
“The truth is, there were many more breaches in 2016 than in pre-EMV 2015,” said Guido Schulz, chief commercial officer at Bluefin.
Bluefin has seen growth in attracting payment gateways and processors into its partner network, which provides an API for integrating PCI-compliant P2PE. Twenty-three of the major gateways and processors, representing between 70% and 80% of payments processing activity, are connected to Bluefin’s P2PE network, according to Miles.
While EMV is an important part of a comprehensively protected payment ecosystem, Schulz said, P2PE is needed to protect point of sale terminals, many of which have not implemented encryption mechanisms.
So why were retailers not implementing P2PE while they were also upgrading to EMV?
“It’s a resource question,” said Schulz. “Retailers can’t think about all these things at once and because EMV was so publicized and was more tangible, directly touching the consumer,” EMV took priority.
But that momentum has shifted.
Bluefin’s PCI stamp of approval, according to Miles, is extremely important for this security solution.
PCI validation has opened up opportunities for merchants to sell more product. Some higher education institutions that work with Spectra Ticketing can now sell tickets to sports games and performance events outside the confines of their box office.
“They weren’t allowed to before, because over WiFi you don’t know what sniffers are out there, so the IT staff wouldn’t allow handling of credit cards that way,” Marty Avalos, product manager at Spectra said. “A few clients have said they now have the freedom to set up wireless booths.”
Spectra, which handles the ticketing for college athletics, performing arts and professional sports, uses Bluefin’s P2PE mechanism through its payment gateway CyberSource.
Plus it reduces merchants' PCI compliance scope, qualifying them for the P2PE short questionnaire during their yearly audits. “The short questionnaire has 29 questions compared to the long questionnaire which has 333 requirements,” Miles said.
According to the PCI Council’s website, only 28 providers are PCI-validated P2PE providers.
A lot of retailers and providers, according to Bluefin’s executives, are really interested in making their compliance burdens lighter.
While that might not seem like the biggest hazard when the other dangers include reputational risk and significant fines for data breaches, Shirley Inscoe, a senior analyst covering fraud at Aite Group, said this focus makes sense.
“We all think [a data breach] is not going to happen to us, but retailers know that PCI assessment is going to happen,” said Inscoe. “Sure, data breach risks are far greater, but we’re all human and think those things aren't going to happen to us.”