The recent highly publicized data breaches at prominent retailers, smack in the midst of the holiday shopping season, teaches the lesson that building a cyber moat around the enterprise is not enough. The data itself needs to be secured, adding a potent layer of security that will defeat most attempts to monetize stolen data.
Sophisticated and organized identity thieves can get behind even the most diligent retailer’s firewall. It happens to our most secure government agencies. So it’s no surprise it happens to merchants following PCI guidelines. It’s time to up the game, and secure the data itself.
PCI has embraced the concept of “Point to Point Encryption” and “tokenization” to lock down the data itself. It’s a simple concept — encrypt data before any software can read it, and don’t store it in the merchant’s system.
Why Are Identity Thieves Succeeding?
One way identity thieves have succeeded is by finding clever ways to get through a firewall (e.g., stealing bona fide login credentials) and plant malware that intercepts and stores card holder data, and then uploading that data at later time. Encrypting card holder data defeats this method. This scenario is reminiscent of the evolution of Wi-Fi security. Wi-FI data was originally sent in the clear. Identify thieves began sniffing and recording data. Wi-Fi standards bodies first attempted to close the breach by encrypting data, without securing encryption keys which need to be exchanged to facilitate communication (WEP). That breach finally closed in the next round of security standards (WPA /2), where strong cryptography was adopted, and data encryption keys where themselves secured using encrypted key exchanges.
How Does Point To Point Encryption Work?
PCI is following a similar approach to Wi-Fi data security. PCI first recommends card holder data get encrypted at the source, the card reader itself, before any software can read it. Encrypted data is then sent as usual to the merchant’s gateway or payment processor hosting a “P2PE solution,” meaning the gateway or processor decrypts the data before sending it out over a secure connection to the card networks (VISA, MasterCard, Discover, AMEX). As in the Wi-Fi analogy, PCI recommends card readers use strong TDES or AES cryptography (WPA/2 uses AES), and tasks the P2PE “solutions provider” (the gateway or payment processor who decrypts card holder data) to manage encryption keys, as they do today for PIN entry devices.
Won’t EMV Solve the Problem?
EMV will help, but won’t completely solve the problem. Identity thieves target U.S. merchants because they can monetize stolen data in two ways — create duplicate cards for use in brick-and-mortar retailing, and use the data to make online e-commerce purchases. EMV authenticates the card at the point of interaction, eliminating card duplication as a revenue stream for identity thieves. The ability to easily duplicate U.S. cards creates a bias to target U.S. merchants. Once EMV is in wide spread use in the U.S., this bias will be eliminated. However, EMV doesn’t eliminate the need to pass card holder data back into the payment system. So the need to secure data will still exist.
How Are The Encryption Keys Secured?
PCI recommends encryption keys get injected in a secure, PCI certified facility, by a PCI certified service provider. That key injection service provider downloads keys securely from the P2PE service provider. PCI then recommends those keys get “rotated” annually, to reduce the impact of a breach where identity thieves get to the encryption keys. A better approved method is to use DUKPT key management. With DUKPT, the card reader calculates a unique encryption key for each payment transaction. Annual key rotation is no longer required.