We are amid the busiest retail season of the year, with U.S. retail sales expected to grow 10.5% to a record $859 billion this holiday season compared to 2020. The number of transactions is increasing, but so is the number of hackers who are targeting shoppers’ cardholder data.
As retailers welcome shoppers and juggle supply chain disruptions, the last things they want to worry about are cyber threats that could lead to data breaches. Besides a high sales volume, secure transactions top retailers’ wish lists this holiday season.
Point-to-point encryption extends security beyond point of sale
When it comes to processing billions of transactions and safeguarding customers’ most sensitive data, world-class payment processing is required.
The use of hardware security modules (HSMs) in transaction processing is critical, as payment HSMs provide the cryptographic functions needed to support end-to-end data security. We recommend that retailers implement point-to-point encryption (P2PE) to encrypt cardholder data, such as credit card numbers, at the point of sale. As data travels from the point of sale to the merchant post and beyond, it needs to be encrypted.
How does P2PE work? It uses a device on the individual terminal called an SRED (secure reading and exchange of data), which encrypts the cardholder data at the point of capturing. It’s then sent off to a host application that the merchant runs. The entire purpose is to encrypt that data while it’s in transit, from the point of sale to the merchant host application over lines that could be insecure. Even if a hacker, skimmer, or fraudster is trying to scrape the data that comes in, the card numbers are encrypted.
This data is used for a lot of different things beyond purchases, such as for customer loyalty programs, analytics, returns, and chargebacks. Quite often, there needs to be a unique identifier for a particular customer. If retailers are using wireless point-of-sale terminals or mobile terminals, there are additional PCI security requirements for that data as it’s transmitted over the network.
Data in transit needs to be encrypted: PCI requirements play a big role
PCI is the governing body for all the major credit card brands and has guidelines and rules for how cardholder data is protected. Retailers and other financial services organizations that handle clear cardholder data must follow these regulations, including encrypting data that travels from the point of sale to the merchant post and to the servers or databases where cardholder data is stored.
Historically, the security in place at the the point of sale has been focused around protecting PINs. The same level of rigor and security in the past was not applied to cardholder data (CHD) or primary account number (PAN) data.
With P2PE, the PCI Security Standards Council has done a lot to make cardholder data protection a priority, along with paving the way for new methods of payment acceptance through tablets, mobile phones, and other devices. Point-to-point encryption is one way for merchants to fulfill the PCI guidelines and reduce the scope of their PCI burden.
P2PE and tokenization go together like hot chocolate and marshmallows
Point-to-point encryption does not handle data-at-rest encryption. This is where tokenization comes into play.
Tokenization takes card numbers that are stored in various databases and replaces the clear card number with an encrypted value – a token. PCI allows for two different methods of tokenization: software and hardware with an HSM. If tokenization is done in software, it must be an irreversible token. This is done by taking a hash value of the card number, which is uniquely identifying for a particular card, but cannot be reversed to get the card number back. In this case, the merchant must maintain a single database, mapping out the card numbers to its tokens. For example, when doing a chargeback, they can reference it. The database where the token maps to the card number needs to be kept secure and within the scope of PCI audits.
The other method for tokenization under PCI is using hardware, also called “strong cryptography.” This involves encryption, retrieving the token, and decryption to get the clear card number — this process is also called data abstraction. The way it works is by using format preserving encryption (FPE), or format preserving tokenization. This allows the data to be put into different systems without having to make database schema changes. It’s so obfuscated, you could showcase that token on a billboard in Times Square!
Tokenization descopes the data from PCI, also reducing the PCI compliance scope. For the purposes of PCI requirements, let’s say the server that handles a retailer’s loyalty program had clear card numbers. For a PCI audit, the retailer would need to verify that they are fulfilling all the different data protection guidelines on this server plus all 20 other servers. However, if a retailer can show that they are using tokenization to prove they don’t have any clear cardholder data, the audit can be averted.
Today, enabling and managing secure transactions and protecting cardholder data require that retailers implement a few extra security steps — point-to-point encryption and tokenization. These technologies can help retailers get steps ahead of both hackers and auditors and will do wonders to reassure customers. Talk about checking off the wish list!