WHITE PAPER SECURE PAYMENTS: A MULTI-PRONGED APPROACH

Transcription

1 SECURE PAYMENTS: A MULTI-PRONGED APPROACH EMV, ENCRYPTION, TOKENIZATION & SECURE COMMERCE ARCHITECTURE

2 With the pressure being put upon merchants these days to become EMVcompliant, it may be confusing for many as to why they must do so and, indeed, what EMV actually is. There is also the misconception that EMV alone guarantees payment security when, in fact, EMV is simply one component of a secure solution. Along with EMV, encryption and tokenization are equally important for protecting merchants and cardholders alike against payment fraud, while Verifone s Secure Commerce Architecture (SCA) puts additional security measures in place for an optimal solution. WHAT IS EMV? In 1994, Europay International, MasterCard and Visa created EMV, a worldwide standard for the interaction of chip-based smart cards and approved payment devices. An EMV chip card is a standard credit or debit card with a microprocessor chip inset into the plastic. The authentication of this chip card prevents counterfeiting and adds cardholder PIN verification methods for card-present situations, offering both online and offline authorizations. By itself, EMV exposes data in transit and at rest. Sensitive data remains in the clear, susceptible to data breaches. While other countries have seen substantial counterfeit card fraud reductions up to 56% in the UK, for example the US market has resisted implementing EMV due to the expense of reissuing cards and updating payment systems. Now, however, with American card brands desire to accelerate EMV chip card adoption in the US, a liability shift is going into effect in October 2015 (or 2017 for fuel pumps). Once the shift takes place, if fraud occurs on an EMV chip-capable card and the merchant is not EMV-capable, the acquirer or merchant, rather than the issuer, will be held liable for the counterfeit transaction. EMV certification typically takes several months. Despite the attention EMV is getting, which may lead merchants to believe that EMV is the end-all, be-all of payment security, it does not actually guarantee secure transactions on its own. Chip cards do not protect against theft of the primary account number (PAN) or expiration date; this means that the theft of chip transaction details has the potential to result in cross-channel fraud in card-not-present (CNP) environments, such as online or over the phone. Case in point: In every country that has migrated to EMV, online fraud has grown. EMV alone is not enough to be a secure solution because it is intended to authenticate the issued cards only, preventing counterfeit card usage at the point of sale (POS). By itself, EMV exposes data in transit and at rest. It does not fulfill PCI DSS requirements, nor does it protect the confidentiality of cardholder and sensitive authentication data. Sensitive data remains in the clear, susceptible to data breaches. In short, EMV is card authentication, not data protection. 2

3 THE IMPORTANCE OF ENCRYPTION AND TOKENIZATION Encryption Encryption is used to protect data from malware and other threats while it is in transit, whether within the merchant s internal systems or during transmission to payment processors. At its most basic level, the encryption process obscures the account data, encoding it so that it cannot be understood without the corresponding decryption system. End-to-end encryption (E2EE) means that the credit card number is encrypted at the first point of interaction swipe, insert, tap or manual entry of the card number and stays encrypted through the entire authorization process until it is decrypted at the acquirer. Verifone currently offers two of the most prevalent types of encryption in the payments market today: 1. VeriShield Total Protect AES 128-bit encryption, supported by nine of the top 11 payments processors in the US; and 2. ADE Triple DES encryption with DUKPT key management. Verifone also works with clients to support other types of encryption, such as: RSA Public/Private Key (PKI); and SecureData identity-based encryption from Voltage. Each of these methods employs a different encryption algorithm and uses different encryption key management. Implementations vary widely, as some are complete packages, while others are more do-it-yourself. Each encryption method also requires a back-end infrastructure for decryption of the payment data, which can take place at a merchant-based or gateway switch, or at the merchant s payment processor. Tokens Merchants cannot use encrypted PANs within their own back-end systems or with chargeback and retrieval systems because the encryption for each transaction is unique. In this case, tokens replace the PAN with a unique surrogate value and protect data at rest. The token has no direct relationship with the data it replaces and cannot be reversed by the merchant or any thief. Tokens are typically card-based, meaning each one has a one-to-one relationship with an account number; the same token will always be returned for a specific PAN. Merchants use tokens to replace previously stored PANs for any post-authorization activities, eliminating the storage of cardholder data. There are various types of tokens, generated by a bank or payment switch vendor, and these can be used even in CNP transactions, usually coupled with encryption. Token implementation is often done in tandem with encryption start-up. 3

4 Payment Security: Solution Summary Security Threats Security Measures Counterfeit cards Lost/stolen cards* In-store sales Online sales EMV Encryption Tokenization EMV Encryption Tokenization P P Breach (data at rest) P P P P Breach (data in flight) P P P P Reuse of breached data P P P P *When used with a PIN SECURE COMMERCE ARCHITECTURE Over and above encryption and tokenization, Verifone s Secure Commerce Architecture (SCA) eliminates the potential for card data breaches by removing the POS system from the payment transaction flow. As such, SCA also removes the POS from the scope of card brand and acquirer-specific EMV certifications; using the SCA agent, Verifone devices become semi-integrated to the payment processor or Verifone gateway. 4

5 In the semi-integrated model, the terminal is securely connected to the merchant acquirer. The POS does not participate in the payment message, which means it is not part of the EMV certification process. Transaction data is not vulnerable to hacking on the merchant s POS. SCA provides a variety of benefits: In the semi-integrated model, the POS does not participate in the payment message, and transaction data is not vulnerable to hacking. Best-in-class security. The SCA payment app is PA DSS-validated and listed for Verifone s MX and VX devices. Verifone is working toward full PCI P2PE 2.0 component validation for SCA against the new 2.0 standard released in July EMV in a box. SCA supports EMV via an authorization message that Verifone certifies via a gateway service or processor/acquirer direct. Verifone manages certification. Simple POS integration. POS integration typically takes two to four weeks. A single integration supports all of Verifone s latest device offerings. Speeding up adoption of new payment technologies. Abstracting the POS from payment complexity allows merchants to innovate with payments moving forward, including wallets, offers, beacons and beyond. Ongoing support. Verifone is committed to the ongoing development, evolution and compliance of the SCA app well into the future. SCA solution Verifone s SCA solution is called Point, which includes Verifone Estate Manager. Point is a comprehensive payment solution designed to help merchants simplify payments, speed payment innovation, improve payment security and reduce PCI scope in the face of increasing cost, complexity and compliance requirements for payment-related technologies. Point is payment complexity made simple. Verifone Estate Manager is a next-generation estate management tool that is an integral part of Point, though it does not require SCA for its functionality. Merchants can remotely manage, monitor and update their entire estate of terminals and payment devices. SUMMARY For the strongest possible protection from fraud, Verifone recommends that merchants use all of the above technologies jointly. To summarize, EMV cannot stand alone in providing payment security; it needs encryption and tokenization to shield cardholder data from predators at all points of the payment process. Merchants can further benefit from Secure Commerce Architecture, reducing 5

6 EMV compliance scope and removing sensitive information from the point of sale system. EMV chip technology only validates that the card is authentic and prevents counterfeiting; it supports cardholder verification and allows authorization of the transaction using the cardholder s signature. EMV is most effective with card-present transactions. Meanwhile, E2EE protects cardholder data from the point of entry to the payment card processor, shielding against malware that sniffs and captures sensitive data. It uses one-way encryption at the PIN pad, making cardholder data unusable, and reduces the merchant s applicable controls required for PCI DSS validation. To select the encryption method that best fits one s business, merchants should begin by talking to their POS device provider and their payment processor or gateway. Tokenization further reduces risk and eases PCI certification by replacing cardholder data (including the PAN) with surrogate values (tokens), eliminating the storage of cardholder data for post-transaction capture. Lastly, SCA removes the POS from payment data transmission, facilitating a secure, direct connection from the terminal to the acquirer or gateway and simplifying EMV certification. 6

7 ABOUT VERIFONE About Verifone Systems, Inc. ( Verifone Systems, Inc. ( Verifone ) (NYSE: PAY) is a global leader in secure electronic payment solutions. Verifone provides expertise, solutions and services that add value to the point of sale with merchant-operated, consumer-facing and selfservice payment systems for the financial, retail, hospitality, petroleum, government and healthcare vertical markets. Verifone solutions are designed to meet the needs of merchants, processors and acquirers in developed and emerging economies worldwide Verifone, Inc. All rights reserved. Verifone and the Verifone logo are either trademarks or registered trademarks of Verifone in the United States and/or other countries. All other trademarks or brand names are the properties of their respective holders. All features and specifications are subject to change without notice. Product display image for representation purposes only. Actual product display may vary. Reproduction or posting of this document without prior Verifone approval is prohibited. 7