Guest Column | June 30, 2014

Securing Stored Cardholder Data — Another Layer To The EMV Puzzle

Securing Stored Cardholder Data

By Jeremy Gumbley, CTO of Creditcall

While recent data breaches in the U.S. have put the spotlight on EMV transactions and the how the U.S. is behind the rest of the world in payments security, there is a “second tier” of security that can be taken on top of implementing EMV. EMV is a viable and necessary weapon in the battle to protect consumers’ data — but there are other layers of security that can further protect consumers’ card information that should serve to mitigate the fallout from future breaches.

In this article, I have outlined two examples of the most viable security solutions that can be paired with EMV to create even more secure merchant environments to make future customer data breaches less desirable for hackers.

P2PE Or Point-To-Point Encryption

With P2PE, cardholder data is secured via encryption when the card is inserted and can only be decrypted by the bank, processor, or payment gateway. This means that sensitive data can be transmitted or even stored by the merchant without worrying about protecting it.

The PCI Point-to-Point Encryption (P2PE) Standard ensures that a solution meet the requirements for card data protection. PCI P2PE also de-scopes the merchant from some of the problematic areas of PCI DSS making it a win-win for the merchant and the industry.

As security has many layers, P2PE offers a responsible solution to the problem of cardholder data security, showing that the merchant has done as much as it can to protect their consumers. Implementing both EMV and P2PE offers the most secure transaction environment possible that is currently available. Fortunately most EMV-capable PIN pads incorporate a P2PE scheme.


Another example of a security method taken overseas that could help to further assist U.S. merchants from future data breaches, is tokenization.

Merchants typically have to store cardholder data for future transactions. For example, if a customer service representative at Zappos needs to give you a refund for something you returned, they won’t have to ask you for your card details all over again. Or Amazon, for example, stores card details to make it easier to purchase items with one-click in the future. This is a huge convenience for the consumers — but this also means that retailers have to store loads of cardholder data, making their systems a target for fraud. Securing data while you store it, as mandated by PCI DSS (Payment Card Industry Data Security Standard), is a complex and often expensive process.

What some processors and payment gateways do when responding to an authorization, and which is employed in many European countries, is utilize a special “token” included in the response message, which the merchant can store. This token does not hold the cardholder data, but rather, can be used for future transactions instead of cardholder data.

In turn, if a merchant needs to do a refund or use the same card holder data for a future transaction, they then send that token and it is mapped by the processor or payment gateway to the original cardholder data. This way the merchant has no need to store the card holder data — and if the tokens are stolen they cannot be reused by a criminal in the same way that the unencrypted data can.

Another benefit of tokenization is that the most merchants aren’t security experts and are not set up to protect their data sufficiently over time. Big retail environments are tricky to secure, as are large websites and online services. You can’t unplug a website from the Internet, which is the biggest avenue of compromise. Tokenization does help to solve this problem for the merchant.

Customers Leading The Charge

Any time a customer’s way of doing things is changed, there is confusion by the public. However, each and every day, innovative new forms of technology are surfacing. Will Coin be the solution to all of our problems? Not likely. Manufacturers and integrators are slowing beginning to realize that there is a problem and change needs to happen. Businesses, for one, should be very sensitized to fraud problems — or anything that impacts their consumers as a result of their inaction — and assuming they have no part to play in the transaction security chain is bad for the business. If billions of dollars in fines and an immeasurable impact on customer confidence in a brand isn’t incentive enough to take the necessary actions, what else is?

No matter the solution chosen, failure to comply means simply turning a blind eye on rather than eradicating fraud and will keep the true benefits of the payments initiative just out of reach.

Creditcall’s EMV-ready payment gateway and EMV migration solutions enable card acceptance from any device, anywhere, whether attended, unattended, online, or mobile. For more information visit

In 2001, Jeremy Gumbley became CTO and technical director at CreditCall, having spearheaded the company’s technical development since 1999. He is a veteran of the payments industry, having driven product and technology development roadmaps to accommodate EMV migration programs in the UK, Europe, Africa, and the Middle East as well as the U.S. and Canada. As CTO, he is responsible for the design, development and implementation of the company’s card payment solutions and portfolio of EMV Level 2 Kernels. Under his technical leadership, the company has licensed and deployed over one million Kernels in the last decade. In addition, Jeremy oversees the maintenance of the company’s PCI DSS Level 1 compliance.