After 2014, the “Year of the Data Breach,” media outlets and so-called payments experts were adamant that chip card security, also known as EMV, would solve the security issues surrounding the payments industry. Although chip cards are a step in the right direction, EMV is only a piece of the complex payments security puzzle. This article will help build an understanding of a layered payments security approach that includes both EMV (chip card) technology and encryption.
So, before we begin, it’s important to understand a few core concepts of the credit card industry.
What is a credit card processor?
In the U.S., there are nine (9) credit card processors: TSYS, First Data, Global Payments, Vantiv, Mercury Payments, WorldPay, Elavon, Heartland and Chase Paymentech. These companies are referred to as “Processors” as they have the complex connectivity to the back-end card brands (VISA, MasterCard, Discover, American Express, etc.) and the acquiring bank networks. Any company who claims to be a “Processor” not listed above is, very simply, lying. They are likely an acquiring bank or, similarly, a reseller of an acquiring bank.
What is an Acquirer/Acquiring Bank?
An Acquirer or Acquiring Bank is the banking institution that sells credit card processing. So, what exactly is one “selling” when they “sell credit card processing?” As a merchant, there is an inherent risk in accepting credit cards. When you think about an actual credit card transaction, you need to think about what is occurring at a very rudimentary level. When you break it down, a seller of goods (the merchant) is providing some sort of good or service in exchange for a swipe (or dip) of a plastic card. Sounds a bit silly when you think of it that way, huh? Of course, the presentation of a credit card is the promise that the purchaser has funds available to him or her that can pay for those goods. So, there is an inherent risk to the seller of accepting a plastic card, instead of cash, as that person may not actually have funds, the card could be fraudulent, or any other circumstance resulting in nonpayment to the merchant.
As a result, banking institutions need to underwrite the risk for the merchant to accept credit cards. So, when someone is “selling credit card processing,” they’re selling what is known as an acquiring bank account or, in simpler terms, a bank account that underwrites the risk of processing credit card payments and eventually transfers, or settles, the funds to the merchant’s business bank account.
What is a Card Brand?
This one is a bit easier. The main card brands in the United States are Visa, MasterCard, American Express, and Discover. Visa, MasterCard and Discover all works with banking institutions, and as explained above the banks act as the acquiring arm for the merchants. American Express, on the other hand, does not work with acquiring banks. American Express acts as its own acquirer, which is why in many cases merchants have experienced different, and usually more expensive, pricing structures for American Express.
What is EMV?
EMV stands for Europay MasterCard Visa, which are the organizations that created the EMV, or chip card, standard. EMV is a global
standard for processing credit and debit cards based on chip technology that is significantly more advanced than the magnetic stripe
technology that has been used worldwide since the beginning of credit card acceptance. With a magnetic stripe card, the sensitive credit card number and expiry data information, also known as track 2 data, is transferred to the payment terminal and then the back end
Processor (TSYS, First Data, etc.) for processing with the card brands and bank networks. With EMV cards however, a significant amount of data is exchanged in real-time between the credit card issuer (Bank of America, M&T Bank, Citi, Chase, etc.) and the payment terminal to confirm the transaction is not fraudulent. In other words, EMV’s purpose is to ensure that you are you, and that your card is being used by you. So how would EMV have prevented the Target, Home Depot and other breaches of 2014? It wouldn’t have.
What is Encryption?
Encryption, as it relates to credit card processing, is a means of making the sensitive information unreadable by encoding the track 2 data in a way that disallows unauthorized parties from being able to read it. There are many forms of encryption, such as Triple DES, AES, and RSA, which all have their respective pros and cons, but all serve the purpose to ensure that hackers cannot read the encrypted data in the case that it is intercepted. The most advanced forms of encryption in the payments industry perform the cryptography process outside of the Point-of-Sale software, as software-based encryption can also be compromised by malware.
EMV + Encryption = Payment Security
EMV would have not prevented any of the breaches of 2014, as EMV is not a form of encryption. The problem that most organizations faced with data breaches was that their Point-of-Sale (POS) systems were infected by malware, and that malware was quietly siphoning the credit card data that flowed through the POS system off to the hackers. EMV could not have prevented this. However, an encryption solution would have made the stolen credit card data useless to hackers. So, what is the purpose of EMV? EMV makes it much more difficult to reproduce fraudulent credit card with chip technology, but the true value of EMV in the United States will not be noticed until all merchants are no longer accepting magnetic stripe cards. Further, the rest of the modern world has adopted the Chip & PIN mechanism, which requires chip cards to be authenticated with a separate PIN, just like a debit transaction. Unfortunately, our fellow countrymen did not have much faith in our citizens and thought that remembering a PIN would be too difficult for Americans. Embarrassing, huh? So instead, they implemented Chip & Signature, which only requires a signature for a chip transaction. We both know that signatures do little to validate a person’s identity, and there are no signature verification systems that are currently being used in the industry to support this.
When looking for a payment processing solution, you should be looking for more than pricing. Merchants should also focus on the ability to accept EMV transactions, to prevent fraudulent transactions, as well as point-to-point or end-to-end encryption, to protect the sensitive data in-transit through the payment networks.
EMV Liability Shift
Merchants have been blind-sided by the confusing technologies as well as misinformation that litters the merchant services industry. We have found the below infographic from Tri-State Merchant Services, which is very helpful in easily understanding the EMV liability shift workflow. Please note, PCIBlog.org is independent, and has no financial relationship with Tri-State Merchant Services, we simply felt their infographic was helpful for our readers!