26 Mar Why EMV Technology Is Only One Part of the Security Solution
U.S. retail and restaurant owners and operators have a big opportunity to improve security at the point of sale with EMV technology, a global standard for credit and debit payment cards based on chip card technology. It ensures that the card is authentic and belongs to the customer using it.
While most major national retail chains have implemented EMV, many more — including supermarkets, independent shops and restaurants — have not. According to Visa, as of December 2018, 67% of U.S. merchant locations are EMV-ready.
If you have not yet implemented EMV technology, be advised that liability for a fraudulent transaction is assumed by whichever party — merchant or bank — is less prepared to accept EMV. Previously the credit card companies paid the fraud bill. The potential losses from charge backs and fines you could incur could be significant. So you should invest in the POS hardware and software needed to accept EMV cards — but that’s only part of a total security solution. To fully protect data assets and customers’ digital privacy, you must add two additional layers of technology: encryption and tokenization.
Must Have: Encryption
Encrypting transaction data can prevent outsiders, like hackers, from discovering or tampering with data. With point-to-point encryption (P2PE) credit card information is encrypted instantly at the POS and transferred directly and securely to the payment processor where it is decrypted and processed. P2PE allows the information to be decrypted if there are intermediate stops in its journey, such as merchant to processor, processor to issuer, and issuer to merchant.
P2PE is often used with EMV technology, and can also protect card-not-present transactions. P2PE combines applications, secure devices and processes to encrypt data using the cryptographic keys that are only known to the payment company. Any P2PE-encrypted data intercepted by a fraudster is worthless.
Just As Important: Tokenization
Tokenization substitutes payment card data with surrogate values, referred to as “tokens.” These tokens can’t be used by criminals because they have no value outside of a specific merchant or acceptance channel.
Because some malware steals customer data before it can be tokenized, tokenization, P2PE and EMV technology need to be used together to optimize security and protect cardholder data.
One More Layer of Defense: Employee Training and PCI Compliance
Employee training is another part of your security solution. Your investment in EMV technology, encryption, and tokenization means little if your employees are not properly educated on security best practices. The Payment Card Industry Data Security Standard (PCI DSS) includes guidance on staff security training and requires that a formal security awareness program is implemented to make all employees aware of the importance of cardholder data security.
This training should cover education on PCI DSS itself as well as information held by credit cards and the steps in a payment transaction. It also includes practical steps employees can take to help keep data secure such as not communicating cardholder data to anyone outside the transaction process and steps to take in the event of a potential data breach.
You should implement EMV technology as soon as possible to protect your business from the liability associated with fraudulent credit card transactions, but you should also recognize the need for a comprehensive security solution to protect your data — and your business from the financial loss and damage to your reputation and brand that a data breach can cause.
Your point of sale provider is a great resource for security information and can help you implement a total security solution — after all, it’s something you won’t want to do just part way.