Security Concerns Will Dominate Payments Space In 2015
Ingenico Group works closely with merchants of all sizes in the U.S., and one of the most frequent questions we get from reseller and managed services partners is, “What is the key concern among your merchant customers that we need to address?”
Without a doubt, that key concern is preventing breaches and protecting consumers’ card data.
There were a multitude of large, well-publicized card data breaches in 2014. Some of that may be the natural consequence of the U.S. being the last developed country in the world relying on mag stripe technology. With the impending October 2015 EMV liability shift coming, at long last U.S. merchants are upgrading their payment infrastructure for chip cards, and that may help stem the tide of card reproduction fraud. But merchants are still very concerned, and are looking to ensure that they’re doing everything they can to protect customers’ data and their own reputations.
Stage Stores is one such merchant. This leading neighborhood retailer delivers brand-name family apparel in 40 states across the U.S. The company has implemented point-to-point encryption (P2PE) for its almost 900 stores. Now customers shopping at Stage Stores’ five brands (Bealls, Goody’s, Palais Royal, Peebles and Stage) will conduct their payment transactions on Ingenico terminals that encrypt from the moment the transaction enters the terminal. Stage Stores CIO Steven Hunter says that securing customers’ information is the company’s #1 priority in 2015.
P2PE and tokenization are the best weapons a merchant has against card fraud. P2PE is about protecting data in flight, and tokenization is about protecting data at rest. Every merchant needs P2PE; most (but not all) need tokenization. We believe that virtually all Tier 1 and 2 merchants will have implemented one or both by the end of 2015. Here’s why:
P2PE: Although chip cards make card cloning very difficult, they do not immediately address card data in flight. P2PE is a security solution that helps protect card data while in transit to the merchant’s processor. In a P2PE environment, card data is encrypted at the point of entry so that raw card data is never exposed to internal systems or legible to would-be criminals. It is not decrypted until it reaches the point of processing. When implemented properly, P2PE can help merchants reduce their PCI DSS scope but more importantly it reduces overall risk — which is why it’s so effective.
A simple concept, yet many merchants did not consider implementing P2PE until recently — when bad publicity over card breaches made it dangerous to ignore. It is also a good insertion point for P2PE as many retailers are analyzing their POS systems and terminals in preparation for EMV acceptance.
Tokenization: In the payments world, tokenization is a solution that replaces a customer’s debit or credit card number with a surrogate value (called a token). The token is returned post authorization by the merchant’s payment processor or transaction service provider. Tokens eliminate the need for merchants to store customer card data in their own systems. Many merchants rely on this data for legitimate business reasons like recurring billing and automated returns, but do not want the risk of stored card data as a consequence. Instead, unique tokens are stored and used in place of a card number to process subsequent transactions. Thus, in the event of a merchant data breach, criminals are not able to access actual card data — just encrypted tokens that are meaningless to any entity except the original card processor.
Tokenization has gained interest recently due to its use in Apple Pay as a security feature that substitutes your actual card number in the iPhone with a token that is used when you present a payment. While many are under the impression that Apple invented tokenization, this is not so. Tokenization has been used in the electronic payment and e-commerce worlds for many years. Apple Pay has brought attention to tokenization, which we believe is a good thing, because now both merchants and cardholders are asking about it.
Most payment solutions vendors and processors offer some flavor of P2PE and/or tokenization, making it easy for you to add them to your portfolio. Look for solutions that are already proven in the field and certified for EMV Level 1 & 2 and PCI PTS 3.0 or higher.
Merchants are actively looking for these technologies — in fact they shouldn’t seriously consider a payment solution that doesn’t incorporate the latest security features. That means resellers and managed service providers need to ensure they can provide it.
Thierry Denis is President of Ingenico North America. He has 20+ years’ experience in the payments technology space. At Ingenico Group, he works closely with merchants, processors and acquirers to help them implement secure and seamless end-to-end payment solutions.
Link to original content: http://www.bsminfo.com/doc/security-concerns-will-dominate-payments-space-in-0001