It seems like every week we hear about another credit card breach involving a well-known national retail brand. Credit card data, including cardholder names, expiration dates and PAN (or primary account numbers) is being hacked and used or resold.
In fact, the U.S. Federal Trade Commission reported last year that 10 percent of Americans have been victims of credit card fraud. Additionally, a Gallup poll reported that almost 70 percent of Americans worry that hackers will steal their credit card numbers from retailers. Credit card breaches have resulted in catastrophic financial and reputational damage to consumers, retail stores, credit card issuers and credit card processors.
POS Security Breaches
Home Depot, Neiman Marcus, Nordstrom, Target and Michael’s Stores are just a few retailers who have been hacked. If some of our nation’s largest companies have had major breaches, how can smaller retailers protect themselves? Two of the largest attacks, affecting Home Depot and Target, occurred at point of sale (POS). In fact, POS attacks account for 31 percent of all breaches.
Where P2PE Comes In
The best way to ensure that POS computers are safe is to remove the ability for all magnetic swipes to read and transmit the credit card data in clear text. They must instead use hardware encryption (P2PE).
With point-to-point-encryption (P2PE) the retailer, whether large or small, is protected at the highest level from breaches, as no readable card data is ever processed, stored or transmitted by the retailer. The machine instead transmits encrypted data represented by 200+ numbers and letters. The data is secure from vulnerabilities and breaches from the very moment the credit card is swiped.
Why EMV Is Not Enough
The requirement to start implementing EMV “Chip and Pin” by October 2015 does not actually include encrypting the card swipe, and when initially rolled out, there will be a chip and signature process only, without the protection of a pin. This means that the retailer will still be vulnerable to attacks. It is projected that only 58 percent of credit cards will be EMV compliant by the end of next year and only 26 percent of check-out terminals will be equipped to handle them (according to Mercator), meaning that a swipe process will still be used in the majority of transactions for a long time to come.
So to truly prevent hacking, payment processors must incorporate P2PE in their lineup of EMV enabled readers. Companies will incur expenses changing to a secure P2PE system, but the cost is minimal compared to the massive loss of revenue from a hack. Retailers need to ensure they are PCI compliant, and using point-to-point encryption together with EMV can actually reduce the scope of PCI related questionnaires and audits.
It’s obviously up to individual retailers to evaluate their forward-looking risk connected with credit card fraud and whether or not they can justify the expense of upgrading their payment processing hardware. However, it is important to bear in mind that consumers are more aware than ever of this problem and are relying upon their favorite retailers to do everything possible to protect them.
By using embedded chips to validate the authenticity of a card, EMV dramatically reduces the likelihood that fraudulent cards will be made or used. However, P2PE is needed as well to prevent credit card information from being available to hackers as it travels from the reader to the processor.