Methods To Secure Payments In Terminals And Mobile

By Jose Diaz, director, payment strategy, Thales e-Security

Many called 2014 the Year of the Breach, but 2015 and 2016 have taken a run at that title with multiple multi-million-record breaches of its own. How can huge data breaches still be happening? Solutions that provide increased protection for cardholder data while maintaining the highest levels of performance — up to millions of transactions per day — were defined and developed after the highly publicized breaches in 2009. The Payment Card Industry (PCI) released solution requirements for point-to-point encryption to assist merchants in protecting cardholder data and reducing the scope of their environment for PCI DSS assessments. However, these approaches still seem to be a concept rather than common practice.

Reducing risk is essential to avoiding data breaches that expose cardholder information. The best way to do this is to encrypt sensitive data at the point of swipe (or dip, in the case of EMV cards) in the payment device and only decrypt it at the processor. Direct attacks on devices in the payment acceptance process have become increasingly common and highly sophisticated, but strongly encrypted cardholder data is useless to cyber criminals. To understand the approaches and the benefits of implementing sensitive data protection, let’s focus on two key areas: traditional payment acceptance terminals and mobile.

POS, POI And P2PE

Performance is important in this fast-paced world, and electronic POS solution providers need to maximize security for payment card transactions without slowing transaction times. Their solutions need to encrypt cardholder data from the precise moment of acceptance on through to the point of processing, where transactions can be decrypted and sent to the payment networks. By deploying point-to-point encryption (P2PE), intermediate systems that sit between the POI (point of interaction — the point of swipe) device and the point of decryption at the processor are removed from the scope of most PCI-DSS compliance requirements, since the sensitive data passing through them is encrypted.