Secure your data with encryption and tokenization
You may have heard the terms point-to-point encryption, end-to-end encryption, and tokenization and wondered what they mean and whether or not you should care. The short answer is that you should care because they are important tools you may have at your disposal to help protect your business from card data theft and the repercussions of a data breach.
Before we get started let’s ensure that we are speaking the same language by defining a few key terms.
In this article, “POS” refers to an integrated POS system, meaning that the card data is swiped into the POS through a mag stipe reader and is processed via the POS connection with the payment processor. No stand-alone terminal is used.
Mag Stripe Reader:
On the back of every credit card is a “magnetic stripe” that contains the information required to process the credit card transaction. Connected to the integrated POS is a mag stripe reader also known as a “swiper.” The magnetic stripe reader reads the magnetic stripe on the back of the credit card to scan the necessary information into the POS for the processing of the transaction.
Encryption is the process of masking critical information with seemingly meaningless information or a code in order to hide the true “meaning” or value of the actual message.
Tokenization is the process of replacing a set of critical information with a substitute of no value or greater ease of use. The “token” used in place of the payment card data is only usable by those parties who hold the payment card data required to actually process the transaction. Otherwise the token is useless.
Short for Payment Card Industry Data Security Standard, PCI DSS is a set of standards detailing the proper handling of payment card data in the card data environment, which includes the POS, the physical store, and the computer network that the POS is connected to.
Now, that we have defined the vernacular that will be used to describe point to point encryption, let’s begin our discussion.
Point-to point-encryption, also known as end-to-end encryption (abbreviated to P2PE and E2E or E2EE respectively,) is the process of encrypting payment card data at the mag stripe reader or “at the point of swipe.” The advantage of point-to-point encryption is that the card data does not persist on the POS system. Without point-to-point encryption, card data is swiped into the POS through the mag stripe reader in clear text at which point the data is encrypted or by the POS. There is a split second where the data is not encrypted and that’s all data thieves need.
Another method is to utilize a “token” instead of an encryption. A token allows the transaction to process with non-valuable data instead of full payment card data. Tokens can be used repeatedly for transactions such as monthly billing or adding a tip adjustment to a pre-authorized restaurant transaction.
The worst case scenario when not utilizing point-to-point encryption or tokenization is when full card data persists on the POS environment. This creates an opportunity for hackers to access the POS and steal that full and very usable card data to create fraudulent cards. Of course not all POS systems store full card data and there are additional steps that should be taken to secure a POS that does not use point-to-point encryption or tokenization. These additional steps are spelled out in the PCI DSS guidelines.
Merchants who do use a point-to-point encryption mag stripe reader for their point-to-point encryption enabled POS, must still be careful of their physical environment. There are data thieves out there who operate in the physical world as well as cyberspace. Always inspect your card readers to ensure that they have not been tampered with in any way such as the addition of a skimming device. A skimming device can be covertly installed on the mag stripe reader so the data is collected when the card is swiped for payment. Alternately, skimming devices can be carried by fraudulent employees or other persons with access to customer credit cards and are used to secretly collect the card data in addition to swiping the card for payment. In either case, the card data is stored in the skimming device and sold to fraudsters, or used to create counterfeit cards. Skimmed mag stripes can be transferred to another card just like a hotel key card is recoded when you check into a hotel…it’s that easy.
Restaurants are particularly vulnerable to this type of fraud since employees are regularly entrusted with customers’ cards, out of sight of the customer. Your point-to-point encryption enabled POS cannot prevent skimming, so it’s up to merchants and their employees to be on the alert for this type of fraud.
Point-to-point encryption and tokenization are great ways to add security to your payment security strategy. While point-to-point encryption and tokenization cannot protect your business from every kind of fraud, they can be very helpful in preventing sensitive data from hanging around.
Vantiv offers three key solutions to assist with your payment security needs.
E2E solution (P2PE encryption). Contact your POS system dealer to determine if your POS has P2PE capability through Vantiv. If so, you may only need a mag stripe reader upgrade in order to utilize the P2PE functionality.
Tokenization. Vantiv offers a tokenization POS system integration. Again, check with your POS system dealer regarding the availability on your POS.
Merchant SecureAssist®. Vantiv offers Merchant SecureAssist, a PCI compliance assistance service to help you ensure that your systems are secure, and comply with PCI DSS.
Contact us for more information or to get started today.