Shift4 Corporation, provider of the world's largest independent payment gateway and sworn merchant advocate, has brought together a trio of mature solutions that will provide true security against breaches, simplify PCI compliance efforts, and ensure retailers are ready for EMV well in advance of the October liability shift date.
Shift4 is working with leading device manufacturers Ingenico and Verifone to provide EMV-capable devices that also allow for these additional security measures. This trio of technologies will bolster security, preventing breaches:
EMV: Developed nearly 20 years ago by international credit card brands EuroPay, MasterCard and Visa, EMV cards (also known as smart cards) use a computer chip embedded in the card, instead of a traditional magnetic stripe, to store card data. Shift4 has supported EMV in Canada since 2012 and is actively pursuing EMV certifications in the U.S.
EMV chips are significantly more difficult and expensive for criminals to copy. EMV cards also include technology to authenticate themselves each time they are used in a store. These capabilities should lead to a decrease in card-present fraud scenarios; however, EMV is not a silver bullet when it comes to security as it does nothing to prevent card data from being stolen in the first place. Most EMV terminals on the market today still allow card numbers to flow out of the terminal and into the merchant's point-of-sale system in plain text. This means the malware used against Target and Home Depot would still be effective against retailers using EMV – unless those devices also support point-to-point encryption (P2PE).
P2PE: When properly deployed, P2PE encrypts card data the moment it enters the merchant environment – whether it is swiped into a terminal device at checkout or keyed in by a representative in the call center – and then passes that encrypted data on for processing without ever revealing the actual card numbers within the merchant's network. Pairing P2PE with EMV will be possible for Shift4 merchant customers using leading devices such as the Ingenico iSC250 and iSC480 and Verifone MX 915 and MX 925 to ensure that they never process or transmit any sensitive cardholder data within their environment.
The combination of P2PE and EMV provides strong security, but does have one major limitation: due to industry regulations, P2PE-encrypted payment data cannot be held by the merchant after an authorization has taken place. This means retailers need an additional solution to allow them to store payment card data for future returns and credits, or recurring billing situations.
Tokenization: Introduced to the payments industry by Shift4 in 2005, tokenization replaces card data stored in a merchant's database with a globally unique, random string of letters and numbers that cannot be mathematically reversed to reveal the card number. This allows retailers to keep card data on file for future purchases or returns without the risk of losing sensitive card data to a cyber attack. Shift4's TrueTokens® hold no value to hackers if stolen.
With P2PE and tokenization in place, the customer's card number never advances beyond the secure swipe device, leaving the merchant with an extremely limited card data environment and drastically reducing the time and effort required to obtain PCI compliance.