In 2016, US reported data breaches increased by 40%. Yahoo also announced the largest data breach in history last year, affecting more than one billion accounts. How does 2017 look? It’s potentially set to be the worst year ever for data breaches on record. As of December 13th, the total number of breaches captured in the 2017 ITRC Breach Report was 1,253, an increase of 20% over last year’s record pace for the same time period (1,044).
From phishing, malware, ransomware, and even extortion attempts, we’ve collectively seen millions of records stolen and a wealth of classified hacking tools leaked. Even as 2017 nears a close, most articles recapping the year’s largest breaches often end with the words “so far.”
Devaluing the data
Why do hackers breach systems and networks? To find valuable data that can be resold on the black market – whether that data is credit card or personal information doesn’t really matter anymore. Consumer records of all kinds fetch a nice price on the dark web, where fraudsters can use the information to rack up thousands in credit card purchases or even create a new identity from your name, address and social security number.
But stolen credit cards pay the bills for hackers because they are plentiful and easy to sell. After the September 2017 Sonic Drive-In data breach, many of the stolen cards were found for sale on the dark web at $25 – $50 per card.
Too often, credit card information is also stored on databases and servers without encryption. In fact, in the now infamous Equifax data breach, it was found that the hackers had stolen 200,000 credit card numbers from “a storage table that contained historical credit card transaction related information,” reported the company.
Which may leave some of us scratching our heads as to why any company that accepts credit cards wouldn’t encrypt those transactions when they are entered and even more – why they would store credit card data “in the clear.”
When considering the processing and storage of sensitive information, specifically consumer payments and credit card transactions, companies have two choices – they can Defend the Data or Devalue the Data. With the Defend the Data approach, merchants can install and maintain all of the security technologies specified in the Payment Card Industry (PCI) Data Security Standard (DSS) requirements including firewalls, intrusion detection, constant patch updates, 24/7 monitoring and 330 other security requirements.
In the process of maintaining such a security program company-wide, there may be unknown security holes that an IT staff doesn’t know about until it’s too late. This was certainly the case for many major retailers such as Target who were assessed to be PCI compliant only months before hackers breached unknown security vulnerabilities in their systems.
With the Devalue the Data approach, merchants employ security technology to devalue the cardholder data before it even reaches their point of sale systems, rendering the data useless to hackers if it is exposed.
PCI SSC and point-to-point encryption (P2PE)
In 2011, the PCI Security Standards Council (SSC) introduced standards for P2PE. The goal of the standards was to ensure the security of credit card transactions at the point of interaction (POI) / point of entry – in other words, the transaction would be encrypted immediately upon swipe, dip or keying of the card. This would prevent the credit card from traversing the merchant’s POS system as clear-text. Per the requirements, encryption can only be done by certified P2PE devices / payment terminals and decryption must be done in hardware and off-site by a validated P2PE solution provider.
Today, there are 45 validated solution providers worldwide, demonstrating the importance and market need for this technology.
PCI-validated P2PE differs from non-validated P2PE solutions in several respects, specifically on how encryption and decryption are performed, the types of payment terminals used (only those that have been validated by PCI for P2PE are allowed), and the strict chain of custody rules and requirements for the P2PE devices. Merchants that adopt a PCI-validated P2PE solution are eligible for the PCI SAQ P2PE-HW annual assessment questionnaire, which is approximately 33 questions compared to the PCI SAQ D questionnaire at approximately 333.
The growth of P2PE merchant adoption
P2PE embodies the “Devalue the Data” approach. The goal of the PCI P2PE standard is to ensure that no clear-text credit card data is available in the merchant system, where it could be accessed if a data breach occurs.
While the number of providers now offering validated solutions has grown, so too have the number of merchants, healthcare organizations and educational institutions adopting a true PCI P2PE solution. Outside of the obvious data security benefits, companies can reap significant cost savings from the reduction in PCI scope and avoid exposing their consumers’ financial information, protecting their reputation and customer base.
Currently, adoption of a PCI P2PE solution is voluntary. Companies can choose from non-validated P2PE solutions to secure their system; however, these solutions do not come with the same assurances that the technology has been fully vetted by a third party and do not carry the same scope reduction benefits as a PCI P2PE solution.
The question is whether this may change over time. US data breaches that exposed clear-text credit card information, of which there have been numerous this year, demonstrate that high-profile merchants and institutions are not encrypting credit card data at all. It is obviously in the best interest of companies to encrypt card data, but will there eventually be a penalty if they don’t? Looking at Europe’s General Data Protection Regulation (GDPR), where companies globally will be fined up to 4% of “annual global turnover or €20 Million” for breaching GDPR, it is clear that Europe is getting serious about data protection, which points to the growing importance of technologies such as P2PE.
As more solution providers come on the market and more strategies are introduced to enable companies to seamlessly adopt PCI P2PE – i.e., P2PE-only solutions that don’t require a change in processing partners – we expect that the adoption, even without government regulations, will continue to grow. Because as long as we still have companies accepting credit cards in person and over the phone, and keying/dipping/swiping those cards into a payment terminal – we will have hackers looking to break into POS systems and steal credit card data. At some point, especially for these companies that have already suffered one or even multiple data breaches, P2PE becomes a no-brainer.