Thieves Won’t Wait. Neither Should You.

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

June 01, 2012
Security
Geoff Krieg

View Magazine Version of This Article

The Time to Implement Point-to-Point Encryption to Secure Cardholder Data is Now

Each week we read the latest stories of data breaches and reports that tell us our data is under attack. According to Verizon’s 2012 Data Breach Investigations Report, breaches skyrocketed in 2011 and the most afflicted industry was accommodation/foodservice. The report revealed that the most common external breach techniques use a combination of hacking and malware (61 percent). Along the same lines, Trustwave reported that hackers are having a far greater degree of success stealing data “in transit” (62.5 percent) versus stored data (28 percent) in its 2012 Global Security Report.

What this tells us is hotels and restaurants need to do more to protect sensitive payment data and be proactive in keeping up with the hackers and thieves. We also need to pay particular attention to properly securing data as it moves through the merchant IT environment.

Point-to-point encryption (P2PE) is a technology that’s been around for years but has only recently gained momentum in the hospitality sector. P2PE places “data in motion” in a wrapper that can only be decrypted by an endpoint that has the requisite key. If properly implemented, the merchant does not possess or have access to the cryptographic keys or a decryption function that would allow encrypted data to be decrypted. The goal of point-to-point encryption technologies is to encrypt as close to the point of entry as possible and guard against thieves who attempt to install sniffing/hacking software on a merchant’s network.

In addition to the security benefits, P2PE offers significant gains when it comes to compliance. PCI Security Standards Council General Manager Bob Russo said, “If implemented in accordance with PCI requirements, P2PE solutions can significantly reduce a merchant’s card data environment, mitigate potential breaches and simplify PCI DSS validation efforts.”

In fact, on April 27, 2012, the PCI Council released updated point-to-point encryption requirements as well as the testing procedures for QSAs, which will allow them to validate solutions. Once assessors are trained and solutions are validated, the Council will provide a list of validated solutions on the PCI SSC website. Merchants using a validated solution will then be able to use a new self-assessment questionnaire specifically designed to reduce PCI scope for P2PE users.

Even without that list at your disposal, there are many ways to ascertain which P2PE method and solution is secure and suitable for your business. First, ask all your POS/PMS vendors if they are working with any companies to provide P2PE. Also check to see if the solution is integrated or non-integrated into the POS or PMS system. Integrated solutions may require extra steps at set up and installation, but offer greater functionality; whereas non-integrated solutions may be easier to install, but restrict choice and ease of use. You should also understand the types of cards and transactions that can be encrypted. Does the solution encrypt both swiped cards and manually entered cards? Does it encrypt online transactions, as well as on-site or card-present transactions? Is the solution tamper resistant and, what happens if an attempted breach occurs? Where is the HSM (hardware security module) located? Even if data were to be intercepted, is it rendered unusable to cyber thieves?

In today’s payments landscape where security threats and payment methods are constantly evolving, merchants should invest in hosted solutions that offer multiple options and flexibility in terms of the devices, points of interaction (POI) and processors supported. A hosted solution will shift much of the burden of responsibility to the third-party provider and free you from having decrypted data in your environment.

Looking ahead to EMV adoption, make sure that any new hardware you purchase is both EMV contact and contactless-capable, with the ability to both accept and process chip-based payment transactions to gain the benefit of the liability shift to acquirers. Keep in mind, there is no single silver bullet when it comes to payment security. Even with EMV, stolen cardholder data could be used for a fraudulent online transaction. Merchants should implement a variety of technologies and techniques as part of a multi-layered approach to security that ultimately includes EMV to protect against counterfeit card fraud, tokenization to protect data at rest, and P2PE to protect data in-flight.

Probably the biggest argument against implementation of point-to-point encryption is cost in an uncertain and changing payments landscape. But merchants should consider the savings gained through scope reduction, and more importantly, the cost of a potential breach to their business and brand. As the hospitality sector continues to be targeted by hackers, the decision to stall could be a costly one. Thieves won’t wait for a unified approach and specification, and are looking to access your valuable data now. By taking a proactive approach to security that includes point-to-point encryption, asking the right questions, choosing trusted partners and keeping yourself updated, you can protect your customers’ data and your reputation.

Geoff Krieg is the vice president of product management for Merchant Link.

©2012 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.