Since 2013, we’ve experienced over 14 billion lost or stolen records as the result of data breaches. In 2019, here’s what the payments industry needs to know about guarding against cyberattacks.
Payments security is a top priority in 2019. Threats are on the rise, not only in number but in sophistication. Subsequently, organizations of all kinds have greatly increased spending on information security (IS). In fact, Gartner reports that IS spending in 2017 totaled more than $86.4 billion. This trend is not slowing; within the next two years, cyber attacks will cause $6 trillion in damage each year — a 100% increase from $3 trillion in 2015.
A contributor to the trend of security risks is consumer behavior itself. Consumers have become increasingly comfortable making purchases on mobile and IoT devices. Some experts predict IoT devices could surpass the 20 billion mark by next year. And while chip & PIN technology has been successful in squashing in-store fraud, digital payments are facing more risks than ever.
While emerging technology to make payments more seamless and secure seems to be advancing at the speed of light, hackers appear to be in lockstep with these advancements. Shrewd bad actors continue to target POS systems in data breaches that cost merchants and other parties millions of dollars. POS systems need a way to protect customer hardholder information and remain PCI compliant.
Point-to-Point Encryption (P2PE) is a payment security tool that can reduce PCI scope and protect cardholder data for card-present transactions at the point of sale. Even transactions that occur at mobile devices or key entry transactions are protected. P2PE keeps cardholder data-in-transit protected as it is sent from the POS at a store to the bank and back to the merchant.
Essentially, businesses have the ability to encrypt data immediately at the point-of-sale or interaction through to the P2PE solution provider’s secure decryption environment. Should any nefarious characters gain access or attempt to steal it along the way, they would find the data indecipherable and thus, without value. For merchants, this means that from the time a credit card is swiped or dipped at the POS and is sent to the issuing bank to check if the cardholder has the funds, and from the time the message is sent back from the issuing bank to the merchant to verify the purchase, the credit card data is protected.
Tokenization is the yang to P2PE’s ying. Long-used as a way to protect primary account numbers (PANs), it is now the standard to protect data-at-rest in a way that reduces PCI scope. Offered as either reversible or irreversible, tokenization reduces cardholder data to tokens or useless strings of information. Reversible tokens may be mapped back to one or more pieces of data via strong cryptography. The cryptographic key is stored in a token vault. Irreversible tokens render it impossible for anyone to recreate the original value from the token.
The beauty of tokenization is that is also protects digital wallet and ecommerce payments. Once your card is loaded onto your iPhone for Apple Pay, for example, Apple must send the card details to the issuing bank or network. During this process, your card details are replaced with a token (a series of randomly generated numbers). That random number is also sent back to Apple, which stores it on the phone. If the phone is ever stolen or hacked, the thieves would only have access to the meaningless token rather than anything of value, like the actual card data.
The process is similar for ecommerce transactions. Retailers tokenize stored card numbers used to make purchases on their websites. In the event of a hack, neither the retailer nor the hacker ever sees your actual credit card number. The only thing stored is the randomly generated token, which have no value alone.
Omnichannel data protection is more important than ever. With over 14 billion lost or stolen data records since 2013, all parties need to be on high alert as to existing and emerging vulnerabilities. While data breaches are not likely to disappear anytime soon, we hope to see the number of “secure breaches” — where encryption is in place and data is rendered useless to the criminals who stole it — rise, there is still much work to be done on the payments security front.
Not only do solutions like P2PE and tokenization provide the highest level of data security, but they also enable a reduced PCI compliance scope by reducing the amount of systems that have access to customers’ credit card information. Piecemeal solutions and the “wait and see” game are not adequate for protecting cardholder data; those who wait to learn that lesson the hard way will pay the price. Smart companies will focus on creating and implementing a holistic payment security strategy that includes P2PE and tokenization.