Digital Transactions Authoritative, insightful and timely information for payments professionals
With the Covid-19 pandemic accelerating consumers’ use of contactless cards and mobile wallets, merchants can expect hackers to target contactless transaction data at the point-of-sale, says Ruston Miles, founder and advisor at Atlanta-based Bluefin Payment Systems LLC.
The main point of vulnerability in a contactless environment at the physical point-of-sale is the firmware in the POS terminal that encrypts card data, says Miles. Many merchants do not use point-to-point encryption (P2PE) solutions to safeguard card data at the POS, ensuring it remains secure until it reaches its final destination. Instead, many merchants accepting contactless payments rely on transmission-level encryption, which encrypts card data only as it moves from the POS terminal to the processor, Miles says.
“There are a lot of POS devices that accept contactless payments that don’t encrypt the data as it enters the terminal’s firmware,” says Miles. “A lot of it has to do with the cost of P2PE, which is not mandated. Many merchants base their decision not to use a P2PE-certified solution on the scale of their transaction volume. The higher the volume, the higher the cost.”
P2PE is a data-security standard from the PCI Security Standards Council that requires card data to be encrypted as it enters the POS terminal. Even if the data is hacked, criminals will not have the tools to decrypt it. That makes the data useless to criminals, Miles adds.
Processors have been reporting large increases in contactless and mobile-payment activity since the pandemic became an emergency in March. This week, for example, credit union services provider PSCU reported debit card transactions via mobile wallets for the week ended Aug. 9 were up 76.6% compared to the same week last year. Tap-and-go debit cards accounted for 12.1% of all card-present transactions that week, up from approximately 8% in mid-January.
Securing card data as it enters a POS terminal is just one part of the equation to secure data in contactless transactions. Merchants must also take steps to safeguard card data for in-app transactions or purchases made using a mobile wallet.
The most logical choice to secure these app-based transactions, Miles says, is to use 3D Secure technology, which authenticates a cardholder to her card issuer when making a card-not-present transaction. This additional security layer prevents unauthorized CNP transactions and protects the merchant from exposure to CNP fraud.
“For these types of transactions, it’s important for merchants to require consumers to authenticate themselves using 3D Secure, because it shifts liability to the card issuer,” Miles says.
With 3D Secure, the consumer is redirected to a 3D Secure payment portal, where a set of security questions are posed to verify her identity. To validate herself, the consumer must provide the correct answers, such as her password or the name of the first school she attended. 3D Secure 2.0, which is the latest version of the technology standard, supports authentication in mobile apps. This feature allows screens posing security questions to be presented from within the merchant’s app, which makes the validation process look and feel like part of the merchant’s app.
Finally, merchants that need to store cardholder data should think seriously about tokenizing the data, Miles says. Tokenization replaces the cardholder’s account number with a random alphanumeric sequence, or token, that can’t be reverse-engineered.
“Wallet providers may or may not tokenize data, so why should merchants take the chance?” asks Miles. “Merchants can’t take data security for transactions made in a contactless environment for granted.”
