Widely touted as a potent data-masking tool, encryption has been slow to take hold in the payments industry, despite a continuing plague of data breaches. Here’s what’s going on to change that.
Kmart, Arby’s, Saks Fifth Avenue, Hyatt Hotels. Those are just some of the merchants that reported data breaches in 2017. To be sure, 19% of U.S. merchants reported a hack last year, down from 22% a year earlier, according to Thales e-Security’s 2017 Data Threat report. But being breached remains a catastrophic event.
Not only does a breach put millions of consumers at risk for fraud and identity theft, it is a public embarrassment for the breached company. Executives in the c-suite are certain to face questions from the media, the public, and investors about what steps they took to secure their customers’ data.
If a merchant can’t say it did everything possible to protect its database, the lapse can cause long-term damage to the company’s brand.
The fallout can be so far-reaching that some merchants will try to keep the lid on a breach. That’s what Uber did last year by paying hackers a $100,000 ransom to delete stolen data—so the hackers said—rather than report the breach.
Arguably, one of the most effective ways to minimize the risk of a data breach is to encrypt all data moving over a network or stored, also known as data in motion and data at rest, respectively. At minimum, encryption, a process that translates data into a code that can only be read by someone with a decryption key, renders the stolen data useless if a breach occurs, unless the hacker can break the algorithm used to encrypt the data.
Since most hackers are looking for the path of least resistance, they are more likely to target merchants and other entities within the payment industry that don’t encrypt cardholder data, data-security experts say.
False Sense of Security
Just one problem. As effective as encryption is, it is not that widely used by merchants and other companies that store or deal in payments data or other personally identifiable information.
Even companies that manage massive storehouses of sensitive consumer data neglect to encrypt it. The huge credit-reporting concern Equifax Inc. shocked the nation last summer when, after hackers accessed 145.5 million records in its system, the company admitted it hadn’t encrypted its data.
Why this neglect? After all, security experts have pushed encryption at least since the first major breaches were reported a dozen years ago.
The reasons are varied and complex. For merchants dealing with payment-related data, they include lack of education about the value of encrypting data and a need to make choices about how best to apply limited information-technology resources.
There’s also a false sense of security among merchants that compliance with the PCI Security Standards Council’s main set of rules, the Payment Card Industry data-security standard, or PCI DSS, coupled with implementation of EMV-enabled terminals, is enough to protect card data.
“The misconceptions around encrypting card data and lack of inquisitiveness by the merchant community [are] slowing adoption,” says Scott Dowty, chief revenue officer for Scottsdale, Ariz.-based payments technology provider Apriva LLC. “It’s going to take merchants a long time to understand the importance of securing sensitive data.”
Although the merchant community has made strides securing data at rest through the use of tokenization, a process that replaces card data with a randomly generated sequence of numbers and characters, it remains highly vulnerable to hackers targeting merchants’ connections to processors. The reason? Data in motion is rarely encrypted.
A common misconception among merchants, according to security experts, is that as long as they are compliant with the PCI DSS, information leaving the point of sale and traveling to a processor for authorization is secure. The PCI DSS was created in 2004 to increase controls around cardholder data to reduce credit card fraud.
While the PCI DSS applies to all entities that store, process, or transmit cardholder data, it does not require data being transmitted over a private network, such as a connection between a merchant and a processor, to be encrypted. The standard’s only encryption requirement concerns data sent over a public network.
In addition, it is not uncommon for merchants to believe that once they are validated as PCI-compliant, they remain so. The reality is that PCI compliance is an ongoing process. A merchant can fall out of compliance at any time after being deemed compliant.
“Merchants have to be constantly performing PCI compliance, it’s not just a one-time certification,” says Edward “EJ” Jackson, head of security and fraud solutions for First Data Corp. “Becoming PCI compliant is a greater motivation for merchants than encrypting data that leaves their walls.”
Another major misperception among merchants is that EMV chip cards will secure cardholder data. The reality is that EMV was created to prevent fraud at the point of sale by authenticating the card to the POS terminal and vice versa.
As a result, any data passing from the EMV chip through a POS terminal and out over a network connection to a processor or gateway is vulnerable to hackers.
“The intent of EMV was not to solve data breaches, but to prevent fraud,” says Wally Mlynarski, chief product officer for Atlanta-based processor Elavon.
Point to Point
To address the problem of securing data transmitted from a POS terminal beyond a merchant’s walls, processors, acquirers, and payment gateways have begun touting point-to-point encryption, a process that encrypts data as it enters a card terminal and keeps the data encrypted until it reaches a secure endpoint where it can be safely decrypted.
Besides providing strong data protection, what makes point-to-point encryption appealing to merchants is that it significantly streamlines compliance with the PCI DSS. The PCI Security Standards Council says its P2PE self-assessment questionnaire (SAQ) includes only 26 questions, compared to more than 100 questions for its standard SAQ.
Some merchants can see an even larger reduction of self-assessment questions. Two Men And A Truck, a Lansing, Mich.-based moving company, has reduced the number of SAQ questions to about 20 for its franchisees, compared to more than 300, with the implementation of a point-to-point encryption solution from Bluefin, an Atlanta-based provider of payment security solutions, says Jake Gaitan, the company’s IT director.
“We want to make sure that our franchisees can protect customer data, but we also wanted to find a way to alleviate the cumbersome PCI-compliance process for them while still protecting customer data,” Gaitlan says. “We don’t want to be in the news for a data breach.”
Two Men And A Truck began rolling out the Bluefin solution more than a year ago and now has more than 100 of its more than 400 franchisees up and running on it. In addition to providing strong data security starting at the point of sale, Bluefin’s solution also enables Two Men And A Truck franchisees to securely accept card payments using mobile devices. Before, franchisees had to call in card numbers over the phone.
“Not having to pay the card-not-present rate is a savings for our franchisees,” Gaitlan says.
Only PCI-certified P2PE solutions can be validated as meeting the security requirements of the PCI P2PE standard and listed on the PCI Council’s Web site. Since some merchants are installing non-PCI certified P2PE solutions, the PCI Council issued guidelines in November 2016 to assist security assessors in evaluating non-PCI certified P2PE solutions against the PCI P2PE standard, and their impact on merchants’ PCI DSS compliance.
The PCI Council says there is no guarantee that implementation of a non-PCI certified P2PE solution will streamline PCI compliance.
As of December, there were 45 PCI-certified P2PE solutions in the market, according to the PCI Security Standards Council’s Web site. Certified solution providers include terminal makers VeriFone Systems Inc. and Ingenico, FIS Payment Solutions, PayPal Holdings Inc. and Bluefin, which expected to have signed 60 processors and gateways to use its solution by the end of 2017.
Bluefin’s platform encrypts all card data within a PCI-approved point-of-entry device and decrypts it offsite in a Bluefin hardware security module. After decrypting the data, Bluefin sends it to the processor or gateway for authorization.
The company began rolling out its P2PE solution in 2014, eight months after it received PCI certification. “Because we manage the encryption keys for merchants (including device key injection and decryption), this gives merchants the flexibility to go with any processor or gateway,” says Ruston Miles, chief strategy officer for Bluefin, in an email message.
‘A Complicated Matter’
One of the reasons for the dearth of certified P2PE solutions providers is that certification is a lengthy process that can take three to six months, and in some cases longer. “Certification is very complicated,” says Apriva’s Dowty.
One of the most time-consuming hurdles to certification, data-security experts say, is the extensive testing a P2E solution must undergo. “Certification is less about the encryption technology and more about how the solution is managed and deployed,” says Bryan Thompson, chief technology officer for Beyond Inc., a Princeton, N.J.-based independent sales organization.
Having been an executive with Heartland Payment Systems when the acquirer suffered a data breach in 2008, Thompson is a strong proponent of P2PE because it addresses the need for encryption when the transaction is initiated, which provides more control over the data assets on the front end.
After Heartland’s data breach, the company’s chief executive at the time, Robert Carr, pushed for implementation of end-to-end encryption (E2EE). Similar to point-to-point encryption in that data is encrypted at the point where a transaction is initiated, end-to-end encryption varies from P2PE in that the data remains encrypted all the way through the last mile to the card networks.
A P2PE solution, on the other hand, encrypts data before it reaches the merchant’s gateway provider or processor, which then flows the data, encrypted or decrypted, through a secured pipeline to the networks. In other words, the back-end pipes carrying the data are secured, but the data itself is not necessarily encrypted.
“The reason Heartland could implement end-to-end encryption is that it owned the technology deployed from the merchant to the card brand,” says Thompson. “With point-to-point encryption, the data is encrypted from the merchant up through the front door, which is the processor or gateway.”
While P2PE does not encrypt data from the start to the finish of a transaction, Thompson is quick to point out that once a gateway or processor decrypts the data, it resides in a secure environment before moving further downstream in the payments ecosystem.
“It’s hard to replicate what Heartland did with end-to-end encryption because of the need for an entity to control all the technology assets from front- to back-end,” Thompson says. “The further data travels away from the merchant before being decrypted the less vulnerable it is. Encryption should carry throughout the entire payments ecosystem, but it’s a complicated matter.”
Nevertheless, P2PE is still a potent tool for merchants to thwart hackers, Thompson says. Beyond, which is headed by Carr, plans to have its P2PE solution PCI-certified.
Indeed, the PCI Council states in its blog that merchants are only responsible for protecting card data in their own environment, not that of the payment gateway or processor.
“With that, it follows that there’s no additional scope reduction benefit from implementing an E2EE solution over a P2PE solution, and any data loss following transmission to a gateway/processor would be the legal responsibility of that gateway/processor, not the merchant,” the blog says.
‘Tug of War’
Despite the benefits of P2PE, its implementation still poses challenges for merchants, as many of the solutions are specific to the type of POS device deployed.
Some processors, such as First Data Corp., developed P2PE solutions for their own branded terminals first, and are working next to develop solutions for other makers’ models. First Data has rolled out a P2PE application for its Clover line of terminals, of which about 700,000 have been deployed.
One drawback to developing device-specific solutions, payments experts say, is that each solution must undergo certification. That, and the time it takes for the device to receive a PCI certification, are among the factors that have slowed merchant adoption of P2PE, payments experts agree.
The good news for merchants is that, unless they are using exceptionally old devices—which is unlikely, as the EMV mandate has forced upgrades across the entire spectrum of merchants—legacy equipment can be reused. Merchants simply need to inject the encryption keys for a P2PE solution into the device’s software, says Thompson.
While PCI-certified P2PE solutions are considered by some merchants to be the gold standard, some payments solution providers are forging ahead with making P2PE a standard feature of their payment applications. Some of these providers are awaiting PCI certification.
Elavon, for example, has begun rolling P2PE into all its merchant solutions. “We are shifting all our products to where P2PE will be included,” Mlynarski says.
Elavon is in the final stages of having its P2PE solution PCI-certified. The company already has a component of the solution PCI P2PE-validated.
North American Bancard is another solutions provider rolling out a P2PE solution. The Troy, Mich.-based payments-solutions provider is concentrating its initial P2PE efforts on the medical-merchant community.
“The need to encrypt customer payment data is further ahead in the medical category than it is in retail because of HIPAA,” says Jim Parkinson, chief information officer for North American Bancard. HIPAA is a government mandate regulating health-care information.
One potential drawback to using a non-PCI-certified P2PE solution is that, if a data breach occurs, it could open the merchant to criticism that it did not do everything possible to protect its data.
“How the technology is sold is a big component of any new security technology,” says Dowty. “There are players in the market also selling end-to-end encryption solutions and non-PCI-certified point-to-point encryption solutions, and that’s creating a tug of war over what’s the best option.
“For merchants, the value proposition of any non-PCI-certified encryption solution is going to be whether it is the best solution available,” Dowty continues. “But there is a lot of value to merchants in a PCI certification.”
‘A Game of Leapfrog’
The last speed bump to merchant adoption is an age-old complaint of merchants, that the card companies’ penchant for rolling out new mandates requiring the upgrading of terminals, such as EMV, is siphoning off valuable IT resources that could be redirected to implementing P2PE.
“There is definitely a frustration among our members that EMV compliance is pulling more resources that could be used for more effective data security,” says a spokesperson for the Washington, D.C.-based National Retail Federation. “Data security is a game of leapfrog. Build a 10-foot wall and the hackers will come back with a 12-foot ladder. EMV still sends card data in the clear.”
Although Beyond’s Carr agrees that EMV has sucked up a lot of merchants’ IT resources, he adds that EMV implementation represents an opportunity for merchants to strengthen their data security by adding P2PE and tokenization for data at rest.
But if data security truly is a game of leapfrog, it raises the question whether the slow rate of P2PE adoption is giving criminals time to develop new ways to reverse-engineer the coding that scrambles the data so they can get at the actual card information.
“There is no question that P2PE needs to evolve,” says Dowty. “But for that to happen everyone (merchants, processors, acquirers and gateway) needs to get on the same page.”
For all the optimism about how P2PE will close a gaping hole in merchants’ data-security defenses, the greatest challenge to adoption remains the lack of merchant awareness.
“We don’t get a lot of merchants asking about P2PE,” concedes Parkinson. “Education about the value proposition for P2PE is going to be the key.”
Without that education, many of the misconceptions that are confusing merchants about encryption will persist.
Benefits of P2PE
Makes account data unreadable by unauthorized parties
Devalues account data because it can’t be abused—even if stolen
Simplifies compliance with PCI DSS
The P2PE Self-Assessment Questionnaire includes only 26 PCI DSS requirements
Offers a powerful, flexible solution
Source: PCI Security Standards Council
A Random Approach to Data Security
Encryption may provide a strong defense, but it’s only as good as the math behind it. A criminal with better math skills, or a more sophisticated decryption application, can crack the algorithm used to encrypt data.
That possibility is what has some data-security experts concerned that encryption won’t be enough in the future to deter hackers. One stronger data-security solution would be to create random combinations of numbers and letters to scramble data, they argue.
“No matter how complex a cryptographic cipher is, it has an underlying pattern that can be discovered and reverse-engineered to unscramble the data,” says Gideon Samid, chief technology officer for the digital currency BitMint and the “Security Notes” columnist for Digital Transactions. “With quantum computing on the horizon, the threat to data security is growing exponentially.”
Quantum computers are powerful machines built on the principles of quantum mechanics and capable of solving problems in minutes that require years for today’s computers. IBM Corp. says it expects quantum computing to lead to breakthroughs in the fields of medicine, financial services, artificial intelligence, and supply chain and logistics. Unfortunately, it could also create breakthroughs for criminals looking to beat data encryption, Samid says.
Randomness, on the other hand, applies a theory of quantum mechanics that all events are truly random. Ciphers built on randomness do not use mathematics and therefore have no underlying patterns that can be discovered.
“Cracking ciphers is not easy, but the payments industry does need to lay the foundation to support new, stronger forms of data security,” says Wally Mlynarski, chief product officer for Elavon. “The process has started with the use of dynamic payment credentials and tokenization.”
While some payments experts believe that the introduction of randomly created ciphers is five to 10 years off, the big question is whether merchants will be fully on board with using ciphers to protect data by then.
“A lot of executives in the c-suite view cryptography as a black box, something that’s so complex it’s essentially a mystery to them,” Samid says.
If the top decision makers in a company don’t understand encryption and its variants, they are less likely to embrace it, Samid adds.
Executives’ perception of encryption is starting to change, however, as insurance companies educate merchants about the threat to consumer data and the value of strong cybersecurity, says Mlynarski.
Despite many merchants’ lack of urgency when it comes to encrypting card data, payments experts agree that the worst thing the payments industry can do when it comes to data security is to stand pat.
“There are powerful data-security solutions that are used in government that will begin trickling down for commercial use and help raise the level of data security for the public,” says Scott Dowty, chief revenue officer for Apriva. “Data security must evolve, because there is a shelf life to encryption.”
Data Security Fast Facts
77% of retail respondents planned to increase security spending in 2017, up from 61% in 2016
52% of U.S. retailers have been breached at some point
47% of U.S. retailers rank best practices as their top data-security spending driver
41% of U.S. retailers rank data-security compliance as a top spending driver
19% of U.S. retailers feel “very” or “extremely” vulnerable to security threats
Source: 2017 Thales Data Threat Report, Retail Edition