PCI BLOG. P2PE, EMV, Tokenization, Oh My!

Similar documents
EMV and Educational Institutions:

EMV FAQ S FROM A MERCHANT S PERSPECTIVE

Getting Out of PA-DSS Scope and Eliminating the High Cost of EMV: What you need to know

EMV THE DEFINITIVE GUIDE FOR US MERCHANTS AND POS RESELLERS

Frequently Asked Questions for Merchants May, 2015

Semi-Integrated EMV Payment Solution

EMV Frequently Asked Questions for Merchants May, 2015

EMV Implementation Guide

Tokenization: The Future of Payments

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

White Paper. Payment fraud threatens retail business. P2PE helps you fight back

EMV, PCI, Tokenization, Encryption What You Should Know for Presented by: The Bryan Cave Payments Team

It s Not Too Late for EMV What You Need To Do Now!

Why chip cards? HELP PREVENT FRAUD: HELP AVOID LIABILITY: ACCEPT MOBILE TAP & PAY TOO: DYNAMIC AUTHENTICATION: Contact us

EMV: Frequently Asked Questions for Merchants

Ignite Payment s Program on EMV

EMV Terminology Guide

Heartland Payment Systems

EMV Just the Facts. Ozarks Association of Government Accountants

The Small Business Guide to Mastering EMV

EMV WHAT DOES IT MEAN? HOW WILL IT AFFECT US? HOW DO WE SWITCH TO EMV?

See Your Customers, Not Payment

Version 7.4 & higher is Critical for all Customers Processing Credit Cards!

Visa and MasterCard Drive Adoption of EMV Payment Technologies in the United States

EMV Cards - Chipping Away at Fraud

Top 5 Facts Merchants Need To Know About EMV

Datacap s Guide to EMV in the US

Let s Talk about EMV. getnationwide.com

North America Terminal Brochure Guide

CHIP CARDS. Banks are issuing payment cards embedded with security chips to help protect you against fraud at the register. What is a Chip Card?

The Changing Landscape of Card Acceptance

EMV chip technology ARE COMPANIES AND CONSUMERS REALLY READY?

Is Your Organization Ready for the EMV Challenge?

Tokenization April Tokenization. Gregory H. Soule, CPA, CISA, CISSP, CFE Senior Manager. Andrews Hooper Pavlik PLC

FIS Global Retail Payments. Centralize your enterprise with ONE trusted partner.

FUTURE OF CREDIT CARD PAYMENT APPLICATION SECURITY:

EMV Beyond October 1, Kristi Kuehn VP, Compliance Heartland

The Future of Payment Security in Canada

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) A GUIDE

Straight Answers on PCI and EMV

Protecting Payments Throughout the Ecosystem. Emma Sutcliffe Senior Director, Data Security Standards PCI Security Standards Council

E M V O V E R V I E W. July 2014

Introduction to EMV BEYOND PAYMENT

How EMV Compliance is Enhancing Self-Service Bill Payment

EMV Migration. What You Need to Know about the Technology, the Security Protection it Provides, and When to Implement

Agenda. What is EMV. Chip vs Mag Stripe. Benefits of EMV. Timeframes & Liability Shift. Costs. Things to consider. Questions

Merchant Considerations for U.S. Chip Migration. EMV Migration Forum/National Retail Federation September 2014

Merchant Considerations for U.S. Chip Migration. EMV Migration Forum/National Retail Federation September 2014

THE ADOPTION OF EMV TECHNOLOGY IN THE U.S. By Guy Berg Global Industry Sales Consultant Datacard Group

EMV Migration Updates and Next Steps

Credit and Debit Card Fraud

Minimizing the Impact of EMV & Churn on Your Subscription Business

MAKE WAY FOR THE EMV CREDIT CARD. What You Need to Know for a Smarter POS Strategy.

PCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS

Risk-based Approach to PCI DSS Validation

Card Payment acceptance at Common Use positions at airports

Quick Guide. Token Service Provider

Receivables and Secure Payment Processing

EMV: Facts at a Glance

EMV IN HOSPITALITY 2 YEARS LATER

OTI Brings Diverse Cashless Payment Solutions to Worldwide Merchants

tripos: Building a next generation POS starts with the right payment solution

A Merchant s Path to EMV Understanding Impacts To Your Business

CCV s self-service payment solutions drive PCI-DSS-compliant security

Tokenization: What, Why and How

VARTECH NATION. EMV Certification for IT Professionals

Payment ProceSSing. As the digital landscape becomes more complex, so does handling digital payments. By Davina van Buren.

EMV: GET READY. Michelle Thornton, CO-OP Financial Services

White Paper PCI-Validated Point-to-Point Encryption On Microsoft Azure. By Christopher Kronenthal, Chief Technology Officer

The Evolution of Payments on Campus

EMV is coming. Here s how to stay ahead of the trend. Presented by CO-OP Financial Services

ATM Webinar Questions and Answers May, 2014

Commerce Driver. ios Quick-Start Guide v1.0

INNOVATION AT A GLANCE. Wally Mlynarski Chief Product Officer

EMV is coming. But it s ever changing.

THE FUTURE OF TRANSACTING

Payment Card Industry Data Security Standard Self-Assessment Questionnaire B Guide

CHIP CARDS: WILL THEY PREVENT FRAUD?

Payment Card Industry Compliance. May 12, 2011

SellWise User Group. Thursday, July 16, Presenters. Will Atkinson, President CAP/Sellwise Mike Watkins, Member Care & Shared Services

Mobile Payment Platforms For The Artist

10 payment. acronyms that aren t what you think they are

PROTECT AGAINST A DATA BREACH & ADDRESS PCI DSS COMPLIANCE WITH TRUSTCOMMERCE

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will fnd: Explaining Chip Card Technology (EMV)

Investigating the myths and realities of contactless payment

Ensuring the Safety & Security of Payments. Faster Payments Symposium August 4, 2015

In this Document: EMV Payment Tokenisation Payment Account Reference (PAR) FAQ EMV Payment Tokenisation Technical FAQ

Technologies for Payment Fraud Prevention: EMV, Encryption and Tokenization

EMV & Fraud POS Fraud Mitigation Tips for Merchants First Data Corporation. All Rights Reserved.

Secure Remote Payment Council (SRPc) White Paper Discussion: EMV Enhancements Post Implementation September 13, 2016

Covering Your Assets: Payment Landscape and Technology

Quick Guide. Token Service Provider

EMV Adoption in the U.S.

Electronic Payments in US

MITIGATE THE RISK OF FRAUD AND COMPLIANCE COSTS with EMV mandates. An NCR white paper

Dates Visa MasterCard Discover American Express. Acquirers, subprocessors. support EMV. International ATM liability shift 2

Merchant Services What You Need to Know. Agenda 6/5/2017. Overview of Merchant Services. EMV, Tokenization/Encryption, and PCI (Oh My!

Changing Consumer Purchasing Patterns

PIN Issuance & Management

SAMPLE DATA FLOW DIAGRAMS for MERCHANT ENVIRONMENTS

Transcription:

Page 1 of 8 PCI BLOG THE UNOFFICIAL PCI COMPLIANCE & IT SECURITY BLOG HOME PCI IN THE NEWS PCI TOOLS IT SEC. JOB BOARD DOCUMENTS CONTACT US FORUM P2PE, EMV, Tokenization, Oh My! June 14, 2016 PCI Blog Cardholder Data Environment (CDE), E2EE, Encryption, Guidance, Ingenico, P2PE, Payments Industry, PCI Blog, Point to Point Encryption (P2PE), PTS, SRED, Tokenization 2 TRENDING ARTICLES Security Alert: EMV Skimmers Now Available for Purchase [Video] October 20, 2016 0 Part I: Understandin g the SAQ P2PE for PCI SSC Validated P2PE Solutions September 5, 2016 0 Security Alert: Oracle Micros POS Breach August 8, 2016 0 Unless you re an industry expert, understanding the many industry technologies such as Point-to-Point Encryption (P2PE), EMV and Tokenization and their confusing acronyms can be P2PE, EMV, Tokenization, Oh My! June 14, 2016 2

Page 2 of 8 extremely difficult. For most merchants, payments security focuses on three major goals: 1. Prevent a data breach by limiting or removing sensitive credit card data from their environment, and 2. Prevent acquirer charge backs as a result of credit card fraud 3. Simplify PCI Data Security Standards (DSS) compliance Payment Processing BOOK RECOMMENDATION What is Point-to-Point Encryption (P2PE)? Point-to-Point Encryption, also known as P2PE, is a payments industry standard which encrypts sensitive cardholder data upon swipe, dip or other payment method, such as NFC mobile wallets like Apple Pay or manual/hand-keyed transactions. The payment method does not matter, and all data, regardless of whether accepted through the magnetic stripe, EMV reader or NFC module, is encrypted within the payment terminal. In the case of PCI Validated P2PE solution s, the devices are what s known as SRED certified, which stands for Secure Read and Exchange of data. The SRED module within the device is a requirement for PCI Validated P2PE solution, and is a segmented processor within the device used specifically for encryption processes. In the United States, Ingenico (side image) or Verifone are the leading payment terminal providers in the U.S., and are both the leaders in SRED-approved devices. In most cases, Ingenico or Verifone devices are implemented with PCI Validated P2PE solutions. 4.5 Stars on Amazon CONSIDER SUPPORTING OUR SPONSORS

Page 3 of 8 P2PE solutions come in many flavors, such as non-integrated or semi-integrated, but that is a discussion for another post. It is important to note that the PCI Security Standards Council has an official standard for point-to-point encryption solutions, which was released in 2012. This is what we refer to as PCI Validated P2PE or, simply, PCI P2PE. Although P2PE and E2EE solutions are not required to validate to the PCI P2PE standard, most merchants are moving towards only those solutions that have been independently validated by a QSA and meet the PCI P2PE security standards. The full list of PCI Validated P2PE solution providers can be found at the link below: https://www.pcisecuritystandards.org/assessors_and_solutio ns/point_to_point_encryption_solutions The purpose of point-to-point encryption is to render sensitive cardholder and Personally Identifiable Information (PII) useless. As most security experts tell you, it s not a question of if you will get hacked, it s a question of when. With that, the purpose of Point-to-Point Encryption (P2PE) is to ensure that the cardholder data is encrypted before it enters the merchant network or systems in any way, transforming a once-sensitive payment environment to a non-sensitive environment (at least as it relates to credit card data). Once the payment data is encrypted within the payment terminal, the data is protected throughout transit to the backend solution provider, where the data is then decrypted for processing. Depending on the solution provider, the data may be decryped at a payment gateway and then sent over SSL/TLS or direct circuit to the processor, or the data is decrypted at the backend processor. To date, though, no backend processor (e.g., First Data, TSYS, etc.) has a PCI Validated P2PE solution, although this is likely in the works by many of the major backend credit card processing providers. To learn more about the differences of scope reduction between encryption solutions, such as an E2EE or P2PE solution, versus a PCI Validated P2PE solution, view our post on PCI Validated P2PE: PCI Validated P2PE Explained

Page 4 of 8 P2PE Summary: Point-to-Point Encryption (P2PE) makes data unusable and protects merchants from a potential data breach. What is EMV? The EMV acronym stands for Europay, MasterCard and Visa, the organizations who initially built the EMV technical standard, which is managed and overseen by EMVCo (click to visit their website). EMV is the integrated chip that consumers are now finding embedded in their newly issued credit cards. Unlike Point-to-Point Encryption (P2PE), the purpose of EMV is two-fold: 1. Validat e consu mer identity 2. Preven t fraud Notice from the above, that encryption is not a purpose of EMV. Once again, protecting data in transit. or within your POS or other systems, is not a purpose of EMV. It s important to understand this point, as EMV became the focal point following the major breaches of 2014. Once again, EMV is not a data security solution and it would not have prevented the breaches like Target, Home Depot and others point-to-point encryption likely would have, however. That being said, our purpose is not to undermine the importance of EMV as a fraud prevention technology. EMV is a crucial technology in payments security, which aims to validate a consumer s identity in real-time at the point-of-sale and to also prevent fraud by making chips nearly impossible to duplicate. Unlike magnetic strip cards, the EMV chip cannot be duplicated. When consumers complain about fraudulent credit card charges, it s often the result of their data being stolen due to a data breach within the merchant environment

Page 5 of 8 (Prevention: Point-to-Point Encryption) and then a criminal utilizing a tool to write that stolen credit card information to a magnetic strip (Prevention: EMV). These tools are cheap, and combined with a simple software program can be easily utilized to write stolen credit card information to a blank magnetic strip card. A quick Google search demonstrates how easy and affordable it is for criminals to obtain the hardware to create fraudulent magnetic stripe cards: https://www.google.com/search? q=magentic+stripe+card+reader#tbm=shop&q=% 22magnetic+stripe%22+%22card+writer%22 There is no such technology (at least yet) that can be used to duplicate the chip in EMV cards. So, in cases where a data breach occurs and credit card data is stolen, criminals are only able to duplicate that card data onto magnetic stripe card. This is usually what occurred when you see three charges at a gas station for $75, four states away. As a result, in geographic regions where EMV is the primary acceptance type, such as Europe, card present fraud with duplicated cards is extremely low. EMV Summary: EMV works to prevent fraud by verifying the identity of the consumer in real time, and disallows the copying and duplication of chip cards. What is Tokenization? Tokenization is often confused with point-to-point encryption (P2PE), as both solutions involve once-sensitive data being converted into non-sensitive data that is useless to hackers. Tokenization and P2PE are very different however, and solve two very different purposes within a merchant environment. Where P2PE utilizes an encryption algorithm (e.g., TDES- DUKPT, AES,

Page 6 of 8 RSA, etc.) to encrypt the sensitive payment data within the payment terminal, tokenization only occurs after the transaction has already traversed through the POS system and network, and is sent out to the processor for an authorization. On the way back from the processor, a token is sent back to the point-of-sale with the approved authorization. This token is simply a numerical value that represents the actual card number within the payment system, but is not considered sensitive. The token is usually provided by the payment gateway (e.g. Merchant Link) or processor (e.g. Vantiv), and that same provider holds the token vault, which is where each token is mapped to the real card number. The token allows for a merchant to store a number that represents a card number within their environment. The merchant can then treat that token as if it were a real card number, allowing them to run additional sales, refunds, voids, etc., without the burden of maintaining true cardholder data which would be subject to PCI DSS restrictions. Tokenization Summary: Tokenization replaces real credit card numbers with non-sensitive numbers within a merchant s POS environment, after an authorization occurs. Have questions about P2PE vs. EMV vs. Tokenization? Head over to our Q & A section to ask a question. We will do our best to answer it within 24 hours! Share this: 1 Related

Page 7 of 8 EMV VS TOKENIZATION P2PE VS EMV P2PE VS TOKENIZATION About PCI Blog 14 Articles PCI Blog is the most trusted PCI Compliance and IT Security blog on the web. Authored by industry experts within the payments and IT security industries, PCI Blog provides insight on the complex world behind modern compliance and security standards. As a wholly independent source of news within the payments industry, PCI Blog focuses on the ever-changing responsibilities of merchants who accept credit cards. PCI Blog also provides reviews on PCI compliance tools and enterprise security solutions to offer a fair, independent critique of product offerings within the payments industry. PREVIOUS ARTICLE NEXT ARTICLE 2 TRACKBACKS & PINGBACKS Security Alert: EMV Skimmers Being Sold Online [Video] PCI Blog Security Alert: EMV Skimmers Now Available for Purchase Online [Video] PCI Blog

Page 8 of 8 Leave a Reply PCIBlog.org - The Unofficial PCI Blog Copyright 2016

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback