Payment companies face numerous challenges in risk management and compliance-related concerns. In some cases, the liability for losses stemming from fraudulent transactions is shifting due to new technologies and security measures, such as EMV technology and point-to-point encryption (P2PE).
The choice of whether to implement these technologies and security measures presents a dilemma of “pay me now or pay me later” in order to both maintain compliance and achieve a sustainable return on investment. The pressure of the liability shift from card brands to organizations that accept credit card payments has issuers and merchants alike considering changes to their consumer-facing products. At the same time, the liability shift is requiring processors, hardware manufacturers, and software developers to work diligently to be able to provide and support the services and solutions needed to implement and maintain these channels of card acceptance.
In a world where past significant breaches resulted in huge losses of data that had been gathered from point-of-sale (POS) terminals or solutions, it does make sense to require the industry to focus on securing card information at the physical point of initiation (POI). However, there are larger control issues in question when an attacker is able to gain access to card data obtained at the POS.
These types of POS breaches stem instead from missing security control or inadequately managed systems that are ineffectively implemented, maintained, and monitored. Whether the control is the lack of appropriate vendor restrictions and monitoring, lack of appropriate segmentation of systems on the network, or inappropriate access controls allowing escalation of privileges, each control points to one common weakness: The thief is able to get to the data that is supposed to be “buried” on a network.
I recently attended the Money 20/20 conference, where 100 percent of the focus was on payments and the future of the industry. The buzz around many of the breakfast and lunch tables was on EMV and P2PE. Conference participants were asking questions such as, “Is the U.S. really gaining anything by implementing technology that has been in place in Europe for a decade?” and “Is P2PE really going to pay off when the majority of our transactions are online?” and “Why didn’t we move to chip and PIN instead of chip and signature?” These are all valid questions. So let’s take a closer look.
EMV was originally an abbreviation for “Europay, MasterCard, and Visa,” the three companies that developed the chip card technology in 1993. The technology enables what are commonly referred to as “chip and PIN” or “chip and signature” transactions.
EMV is not:
P2PE stands for “point-to-point encryption” solutions. It’s sometimes referred to as “end-to-end encryption” or “E2EE.”
P2PE is not:
Although the answer to PCI compliance, reduced liability, and fraud costs is not likely to be EMV and P2PE, these technologies are steps in the right direction, especially when both are implemented. Because the card brands chose to put in place deadlines for the liability shift (with those for unattended terminals yet to come), U.S. payments organizations have started to put plans in place to move to EMV slowly. However, without a deadline for the removal of magnetic stripes from issued cards and a requirement for a PIN with a chip transaction instead of just a signature, the U.S. payments industry still will be behind the eight ball for a long while.
P2PE will help merchants who struggle with segmentation and PCI requirements to move more quickly to an environment that is more secure for card-present transactions. It also will reduce the number of merchants who are storing cardholder data with no real business need. And P2PE will provide more time to focus on managing vendors and helping to ensure that employees are educated on the business processes that are appropriate for handling cardholder data (for example, not placing PANs in notes fields of applications not intended to protect the data and appropriately managing paper with card numbers on it).
However, an important question about EMV and P2PE implementations remains: Will EMV and P2PE implementations divert the focus of IT and security resources from common attack vectors to the network, thus leaving card acceptance channels (such as e-commerce) increasingly vulnerable?
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2018 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.