The recent security breaches at Nieman Marcus and Target remind us in the payments industry that as criminal efforts to steal cardholder data become more sophisticated, so must the methods we use to prevent these crimes.
Magnetic stripe card technology is no longer compatible with a secure payments environment but it doesn’t follow that EMV has all the answers, at least not by itself. Criminals will always find ways to steal information, so the goal is to ensure any compromised card data is useless to any unauthorized person who accesses it. This can only be achieved using a three-pronged approach to payment security involving standards, processes, and security technology. The good news is that we already have the necessary standards, processes, and technology to prevent the unauthorized collection and use of sensitive cardholder data. The secret to securing your payments environment is to deploy them all to work in harmony.
Best practice processes are defined in the Payment Card Industry’s PCI DSS Specifications. We have strong capabilities from the technology we use in payments, including tokenization and encryption. And, finally, there is the global EMV chip card standard with its own in-built security capabilities.
PCI covers three critical areas: the card data itself, the processing hardware and the processing software. Despite occasional misgivings, there are some extremely effective systems and processes within the PCI standard. For example, PCI-DSS ensures that card data is protected when at rest. PCI-PTS is a validation process to ensure that the hardware we use every day is fit for purpose. And PA-DSS is a software validation that helps vendors develop secure payment applications that do not store prohibited data.
While PCI has a strong focus on data at rest, the industry handles tens of millions of transactions on a daily basis where the data is not at rest. For this, technology systems such as tokenization and End-to-End encryption play a very strong role.
Tokenization converts the sensitive cardholder data to a randomly-generated number which substitutes the primary account number (PAN) for use in the transaction. In some instances it is a one-time use token that is generated at the time of purchase and used in the authorization process. In other cases the token is card-specific where it replaces the cardholder data in the merchant environment post-authorization for all subsequent business purposes. In both cases the original data is held securely away from the merchant location. Tokenization can be used for all transactions and transaction types, regardless of the Point-of-Sale entry mode, mag-stripe, contactless or EMV chip.
End-to-end encryption, from the PIN pad or card reader all the way to the acquirer processing is becoming more and more common. Typically a form of encryption key, asymmetric (a public key such as RSA) or symmetric (a shared key such as 3DES), is used where the sensitive PAN data is encrypted at swipe in a secure payment module. This is similar to how a debit PIN is encrypted via DUKPT (Derived Unique Key Per Transaction).
All of these solutions provide strong protections for sensitive cardholder data, but there can be times when the data gets compromised, either individually such as card mag-stripe data getting copied or larger bulk capture of [machine readable] card data.
EMV can play a strong role here. EMV has three distinct and complimentary security features, which can prevent the reuse of compromised cardholder data.
The first of these is an alternative Card Verification Value (CVV). This protects track 2 data—stopping fraudsters from guessing track 2 values, with expiration dates. On an EMV card there are two track 2 data fields, one in the chip and one on the magnetic stripe.
Secondly EMV provides a high security system, using RSA public-private key technology, to ensure that the card presented to a terminal can be quickly verified as genuine. The Dynamic Data Authentication (DDA) process is where a card scheme signs an issuer’s public key giving a key certificate. This certificate is placed on the card, and used by the terminal to validate a further card unique key. The card unique key is then used to validate a dynamic certificate coming from the card, based on a random number provided by the terminal. There is a strong key chain validation as part of the system process.
The third security feature is the cryptograms. Simply put, these are transaction unique digital signatures created by the card or the issuer, based on the transaction data, and provide a per transaction guarantee of authenticity.
In addition to these key security features, the data flow from an EMV transaction is very rich. Transaction counters and card verification results allow an issuer to ensure that transaction data is not replayed, or that the data presented in the transaction to the issuer, either in real-time or clearing, matches the transaction data seen by card.
Clearly this is a multi-faceted approach, with merchants, vendors, processors, acquirers and issuers all playing a role in preventing data breaches, and rendering card data useless when inappropriately used.
There is no single solution to protect against card fraud. Instead, a multifaceted approach is needed—one that combines the benefits of all the available security technologies to strengthen the entire payments environment.
Aidan Corcoran is chief technology officer at Acquirer Systems and Fergal Molloy is General Manager at Acquirer Systems
Reprinted from an article originally published by PaymentSource.