The recent highly publicised data breaches at prominent retailers, smack in the midst of the holiday shopping season, teaches the lesson that building a cyber moate around the enterprise is not enough, writes Bob Grabowski, vertical marketing manager for retail at Honeywell Scanning & Mobility.
The data itself needs to be secured, adding a potent layer of security that will defeat most attempts to monetise stolen data.
Sophisticated and organised identity thieves can get behind even the most diligent retailer’s firewall.
It happens to the most secure government agencies.
So it’s no surprise it happens to retailers following PCI guidelines.
It’s time to up the game and secure the data itself.
PCI has embraced the concept of point-to-point encryption and tokenisation to lock down the data itself.
It’s a simple concept — encrypt data before any software can read it, and don’t store it in the retailer's system.
One way identity thieves have succeeded is by finding clever ways to get through a firewall (e.g. stealing bona fide login credentials) and planting malware that intercepts and stores card holder data, and then uploading that data at later time.
Encrypting card holder data defeats this method.
This scenario is reminiscent of the evolution of WiFi security.
WiFi data was originally sent in the clear.
Identify thieves began sniffing and recording data.
WiFi standards bodies first attempted to close the breach by encrypting data, without securing encryption keys - which need to be exchanged to facilitate communication (WEP).
That breach finally closed in the next round of security standards (WPA/2), where strong cryptography was adopted, and data encryption keys were themselves secured using encrypted key exchanges.
The Payment Card Industry (PCI) is following a similar approach to WiFi data security.
PCI first recommends card holder data get encrypted at the source, the card reader itself, before any software can read it.
Encrypted data is then sent as usual to the merchant’s gateway or payment processor hosting a P2PE solution, meaning the gateway or processor decrypts the data before sending it out over a secure connection to the card networks (VISA, MasterCard, Discover, AMEX).
As in the WiFi analogy, PCI recommends card readers use strong TDES or AES cryptography (WPA/2 uses AES), and tasks the P2PE solutions provider (the gateway or payment processor who decrypts card holder data) to manage encryption keys, as they do today for PIN entry devices.
EMV will help, but won’t completely solve the problem.
Identity thieves target merchants because they can monetise stolen data in two ways — create duplicate cards for use in brick-and-mortar retailing, and use the data to make online eCommerce purchases.
EMV authenticates the card at the point of interaction, eliminating card duplication as a revenue stream for identity thieves.
The ability to easily duplicate cards creates a bias to target merchants.
Once EMV is in widespread use, this bias will be eliminated.
However, EMV doesn’t eliminate the need to pass card holder data back into the payment system.
So the need to secure data will still exist.
PCI recommends encryption keys get injected in a secure, PCI certified facility, by a PCI certified service provider.
That key injection service provider downloads keys securely from the P2PE service provider.
PCI then recommends those keys get rotated annually, to reduce the impact of a breach where identity thieves get to the encryption keys.
A better approved method is to use DUKPT key management.
With DUKPT, the card reader calculates a unique encryption key for each payment transaction.
Annual key rotation is no longer required.
Author: Bob Grabowski, Vertical Marketing Manager, Retail, Honeywell Scanning & Mobility, edited by ESM
To receive ESM news directly in your Inbox, send an email with subject ‘ESM news sign-up’ to [email protected].
To subscribe to ESM magazine, please email [email protected].
