Many people in the payments industry believe stolen payment card industry data will diminish in its black market value as EMV approaches ubiquity across U.S. retailers. That's not the case.
It is important to remember that here in the U.S. EMV is purely designed to authenticate the payment card itself – not the card user – as a PIN is not required for processing. In addition, immediately after authentication, card data is often transmitted unprotected throughout the related payment processing networks.
Therefore, EMV does nothing to address the broader challenges of credit card fraud and related data security in the payments space and criminals will continue to buy and sell card data on the black market.
Instead of focusing on EMV, solutions that are data-centric in architecture, such as point-to-point encryption (P2PE) and tokenization, can protect card data. These systems preserve the format of the data so that it can reside in a protected state within systems and be communicated between parties safely.
Given the threat, more businesses will want to know how the P2PE Validation Standard affects them.
The PCI Security Standards Council (PCI SSC) recommends P2PE as a best practice to protect PCI data as it travels through the authorization process. In June 2015, the PCI SSC published its second version of the P2PE Validation Standard. Any business using a P2PE solution that has been successfully validated against this standard may consider all of its payment systems ‘out-of-scope’ for PCI Data Security Standard (DSS) compliance. This can represent significant time and cost savings – sometimes as high as 90 percent – for payment-accepting businesses working to achieve/maintain PCI DSS compliance.
It is anticipated that the businesses most interested in having solutions validated against this standard are those that offer merchant services to retailers, such as payment processors/acquirers and gateways. These businesses need a simple way to demonstrate that their P2PE solution(s) adhere to the PCI P2PE standard, which makes it easier to sell their services to retailers.
Retailers can be confident that choosing a validated P2PE solution will remove sensitive PCI data from their payment acceptance environments, and help simplify the compliance process.
Data's not the only security threat facing payment companies. Mobile payments are all the rage, with early adopters like Starbucks attributing significant revenue gains to their mobile investment.
While the overall adoption and usage rates of mobile payments are miniscule compared to standard card rates, mobile payments are expected to triple in the U.S. in 2016. As such, expect cyber criminals to follow the money, treating mobile payment systems as a new attack vector to exploit.
As businesses consider adding mobile payments to their architecture, they must do so in conjunction with a thorough security evaluation. They should be fully aware of the increased frequency of attacks their systems will be under, and have a strategy in place to mitigate these risks.
There is no doubt that payments technology brings new revenue opportunities for organizations, but it is important to keep in mind the potential impact of a data breach. In 2015, the annual cost of cybercrime per organization in the U.S. averaged $15 million. Organizations must also worry about brand reputation and maintaining customer trust, which can both suffer from a cyber attack. Looking ahead to 2016, it is imperative that organizations make security a priority, focusing on P2PE and tokenization solutions that protect sensitive data.
George Rice is director of payments for HPE Security at Hewlett Packard Enterprise.