WHITE PAPER SECURE PAYMENTS: A MULTI-PRONGED APPROACH



Similar documents
Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

PAYMENT SECURITY. Best Practices

Introductions 1 min 4

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

EMV and Small Merchants:

E M V I M P L E M E N TAT I O N T O O L S F O R S U C C E S S, P C I & S E C U R I T Y. February 2014

EMV DEBIT ROUTING VERIFONE.COM

What is EMV? What is different?

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

Preparing for EMV chip card acceptance

A RE T HE U.S. CHIP RULES ENOUGH?

Enterprise Payments for

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

EMV and Encryption + Tokenization: A Layered Approach to Security

EMV and Restaurants What you need to know! November 19, 2014

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

The Relationship Between PCI, Encryption and Tokenization: What you need to know

Understand the Business Impact of EMV Chip Cards

What Merchants Need to Know About EMV

EMV : Frequently Asked Questions for Merchants

Payments simplified. 1

OpenEdge Research & Development Group April 2015

What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

RETAIL BANKING SOLUTIONS. Enhancing Your Customer s Branch Experience. Comprehensive Services Tailored for Retail Banks. Vault-Like Security

EMV Frequently Asked Questions for Merchants May, 2014

Credit Card Processing, Point of Sale, ecommerce

PCI Compliance Overview

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

E2EE and PCI Compliancy. Martin Holloway VSP Sales Director VeriFone NEMEA

Apple Pay. Frequently Asked Questions UK Launch

EMV FAQs for developers

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Smart Card Security Access Modules in VeriFone Omni 3350 Countertop and Omni 3600 Portable Terminals

How Secure are Contactless Payment Systems?

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

Dates VISA MasterCard Discover American Express. support EMV. International ATM liability shift 2

NCR CONNECTED PAYMENTS The vision for payment acceptance in restaurants

Apple Pay. Frequently Asked Questions UK

GLOSSARY OF MOST COMMONLY USED TERMS IN THE MERCHANT SERVICES INDUSTRY

welcome to liber8:payment

Secure Payments Framework Workgroup

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

How Multi-Pay Tokens Can Reduce Security Risks and the PCI Compliance Burden for ecommerce Merchants

The Merchant and EMV: What You Need to Know to Prepare for the Magstripe to EMV Transition

Prevention Is Better Than Cure EMV and PCI

Changing Consumer Purchasing Patterns. John Mayleben, CPP SVP, Technology and Product Development Michigan Retailers Association

Digital Payment Solutions TSYS Enterprise Tokenization:

CPIM Academy. Cash 257 Merchant Services and Revenue Collection

EMV/NFC/MOBILE PAYMENTS THE TIME IS NOW THE OPPORTUNITY IS HUGE

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

Universal Transaction Gateway (UTG ), 4Go, and i4go are covered by

Guide to Payment Processing

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Guideline on Debit or Credit Cards Usage

The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group

Credit Card Processing Overview

Euronet s EMV Chip Solutions Superior Protection with Enhanced Security against Fraud

EMV EMV TABLE OF CONTENTS

PCI Security Standards Council

EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE

PCI P2PE 2.0. What Does it Mean for Merchants and Processors? September 10, 2015

VERIFONE PAYWARE SOLUTIONS

PCI DSS Compliance Services January 2016

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Chip Card (EMV ) CAL-Card FAQs

PREVENTING PAYMENT CARD DATA BREACHES

Payments Transformation - EMV comes to the US

PAYWARE MERCHANT MANAGED SERVICE

Guide to Data Field Encryption

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

FOR A BARRIER-FREE PAYMENT PROCESSING SOLUTION

Visa Recommended Practices for EMV Chip Implementation in the U.S.

Transcription:

SECURE PAYMENTS: A MULTI-PRONGED APPROACH EMV, ENCRYPTION, TOKENIZATION & SECURE COMMERCE ARCHITECTURE

With the pressure being put upon merchants these days to become EMVcompliant, it may be confusing for many as to why they must do so and, indeed, what EMV actually is. There is also the misconception that EMV alone guarantees payment security when, in fact, EMV is simply one component of a secure solution. Along with EMV, encryption and tokenization are equally important for protecting merchants and cardholders alike against payment fraud, while Verifone s Secure Commerce Architecture (SCA) puts additional security measures in place for an optimal solution. WHAT IS EMV? In 1994, Europay International, MasterCard and Visa created EMV, a worldwide standard for the interaction of chip-based smart cards and approved payment devices. An EMV chip card is a standard credit or debit card with a microprocessor chip inset into the plastic. The authentication of this chip card prevents counterfeiting and adds cardholder PIN verification methods for card-present situations, offering both online and offline authorizations. By itself, EMV exposes data in transit and at rest. Sensitive data remains in the clear, susceptible to data breaches. While other countries have seen substantial counterfeit card fraud reductions up to 56% in the UK, for example the US market has resisted implementing EMV due to the expense of reissuing cards and updating payment systems. Now, however, with American card brands desire to accelerate EMV chip card adoption in the US, a liability shift is going into effect in October 2015 (or 2017 for fuel pumps). Once the shift takes place, if fraud occurs on an EMV chip-capable card and the merchant is not EMV-capable, the acquirer or merchant, rather than the issuer, will be held liable for the counterfeit transaction. EMV certification typically takes several months. Despite the attention EMV is getting, which may lead merchants to believe that EMV is the end-all, be-all of payment security, it does not actually guarantee secure transactions on its own. Chip cards do not protect against theft of the primary account number (PAN) or expiration date; this means that the theft of chip transaction details has the potential to result in cross-channel fraud in card-not-present (CNP) environments, such as online or over the phone. Case in point: In every country that has migrated to EMV, online fraud has grown. EMV alone is not enough to be a secure solution because it is intended to authenticate the issued cards only, preventing counterfeit card usage at the point of sale (POS). By itself, EMV exposes data in transit and at rest. It does not fulfill PCI DSS requirements, nor does it protect the confidentiality of cardholder and sensitive authentication data. Sensitive data remains in the clear, susceptible to data breaches. In short, EMV is card authentication, not data protection. 2

THE IMPORTANCE OF ENCRYPTION AND TOKENIZATION Encryption Encryption is used to protect data from malware and other threats while it is in transit, whether within the merchant s internal systems or during transmission to payment processors. At its most basic level, the encryption process obscures the account data, encoding it so that it cannot be understood without the corresponding decryption system. End-to-end encryption (E2EE) means that the credit card number is encrypted at the first point of interaction swipe, insert, tap or manual entry of the card number and stays encrypted through the entire authorization process until it is decrypted at the acquirer. Verifone currently offers two of the most prevalent types of encryption in the payments market today: 1. VeriShield Total Protect AES 128-bit encryption, supported by nine of the top 11 payments processors in the US; and 2. ADE Triple DES encryption with DUKPT key management. Verifone also works with clients to support other types of encryption, such as: RSA Public/Private Key (PKI); and SecureData identity-based encryption from Voltage. Each of these methods employs a different encryption algorithm and uses different encryption key management. Implementations vary widely, as some are complete packages, while others are more do-it-yourself. Each encryption method also requires a back-end infrastructure for decryption of the payment data, which can take place at a merchant-based or gateway switch, or at the merchant s payment processor. Tokens Merchants cannot use encrypted PANs within their own back-end systems or with chargeback and retrieval systems because the encryption for each transaction is unique. In this case, tokens replace the PAN with a unique surrogate value and protect data at rest. The token has no direct relationship with the data it replaces and cannot be reversed by the merchant or any thief. Tokens are typically card-based, meaning each one has a one-to-one relationship with an account number; the same token will always be returned for a specific PAN. Merchants use tokens to replace previously stored PANs for any post-authorization activities, eliminating the storage of cardholder data. There are various types of tokens, generated by a bank or payment switch vendor, and these can be used even in CNP transactions, usually coupled with encryption. Token implementation is often done in tandem with encryption start-up. 3

Payment Security: Solution Summary Security Threats Security Measures Counterfeit cards Lost/stolen cards* In-store sales Online sales EMV Encryption Tokenization EMV Encryption Tokenization P P Breach (data at rest) P P P P Breach (data in flight) P P P P Reuse of breached data P P P P *When used with a PIN SECURE COMMERCE ARCHITECTURE Over and above encryption and tokenization, Verifone s Secure Commerce Architecture (SCA) eliminates the potential for card data breaches by removing the POS system from the payment transaction flow. As such, SCA also removes the POS from the scope of card brand and acquirer-specific EMV certifications; using the SCA agent, Verifone devices become semi-integrated to the payment processor or Verifone gateway. 4

In the semi-integrated model, the terminal is securely connected to the merchant acquirer. The POS does not participate in the payment message, which means it is not part of the EMV certification process. Transaction data is not vulnerable to hacking on the merchant s POS. SCA provides a variety of benefits: In the semi-integrated model, the POS does not participate in the payment message, and transaction data is not vulnerable to hacking. Best-in-class security. The SCA payment app is PA DSS-validated and listed for Verifone s MX and VX devices. Verifone is working toward full PCI P2PE 2.0 component validation for SCA against the new 2.0 standard released in July 2015. EMV in a box. SCA supports EMV via an authorization message that Verifone certifies via a gateway service or processor/acquirer direct. Verifone manages certification. Simple POS integration. POS integration typically takes two to four weeks. A single integration supports all of Verifone s latest device offerings. Speeding up adoption of new payment technologies. Abstracting the POS from payment complexity allows merchants to innovate with payments moving forward, including wallets, offers, beacons and beyond. Ongoing support. Verifone is committed to the ongoing development, evolution and compliance of the SCA app well into the future. SCA solution Verifone s SCA solution is called Point, which includes Verifone Estate Manager. Point is a comprehensive payment solution designed to help merchants simplify payments, speed payment innovation, improve payment security and reduce PCI scope in the face of increasing cost, complexity and compliance requirements for payment-related technologies. Point is payment complexity made simple. Verifone Estate Manager is a next-generation estate management tool that is an integral part of Point, though it does not require SCA for its functionality. Merchants can remotely manage, monitor and update their entire estate of terminals and payment devices. SUMMARY For the strongest possible protection from fraud, Verifone recommends that merchants use all of the above technologies jointly. To summarize, EMV cannot stand alone in providing payment security; it needs encryption and tokenization to shield cardholder data from predators at all points of the payment process. Merchants can further benefit from Secure Commerce Architecture, reducing 5

EMV compliance scope and removing sensitive information from the point of sale system. EMV chip technology only validates that the card is authentic and prevents counterfeiting; it supports cardholder verification and allows authorization of the transaction using the cardholder s signature. EMV is most effective with card-present transactions. Meanwhile, E2EE protects cardholder data from the point of entry to the payment card processor, shielding against malware that sniffs and captures sensitive data. It uses one-way encryption at the PIN pad, making cardholder data unusable, and reduces the merchant s applicable controls required for PCI DSS validation. To select the encryption method that best fits one s business, merchants should begin by talking to their POS device provider and their payment processor or gateway. Tokenization further reduces risk and eases PCI certification by replacing cardholder data (including the PAN) with surrogate values (tokens), eliminating the storage of cardholder data for post-transaction capture. Lastly, SCA removes the POS from payment data transmission, facilitating a secure, direct connection from the terminal to the acquirer or gateway and simplifying EMV certification. 6

ABOUT VERIFONE About Verifone Systems, Inc. (www.verifone.com) Verifone Systems, Inc. ( Verifone ) (NYSE: PAY) is a global leader in secure electronic payment solutions. Verifone provides expertise, solutions and services that add value to the point of sale with merchant-operated, consumer-facing and selfservice payment systems for the financial, retail, hospitality, petroleum, government and healthcare vertical markets. Verifone solutions are designed to meet the needs of merchants, processors and acquirers in developed and emerging economies worldwide. 2015 Verifone, Inc. All rights reserved. Verifone and the Verifone logo are either trademarks or registered trademarks of Verifone in the United States and/or other countries. All other trademarks or brand names are the properties of their respective holders. All features and specifications are subject to change without notice. Product display image for representation purposes only. Actual product display may vary. Reproduction or posting of this document without prior Verifone approval is prohibited. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information