No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Encryption and the Payment Ecosystem

by Paul Hampton
February 24, 2014
in Compliance
coded key inserted into binary code

The everyday consumer assumes that when they make a purchase, either online or in the checkout line, their card data is handed off to a trusted source, with security in place to protect them. They don’t see the complicated ecosystem that exists to process that transaction, nor fully understand the security mechanisms that may or may not be in place. To them, a transaction is a swipe of card, a signing of receipts (or entry of a PIN) and the swift deduction of funds from their account. It’s clean, simple and efficient.

The rotating door of data breaches with large retailers is proof that security in the payment ecosystem is anything but simple. Not only do they understand the potential harm of a breach to their own business, but they invest heavily in security mechanisms to prevent breaches from happening.  With an estimated 110 million customer records stolen in one breach alone, it’s clear that the security strategy retailers are following is ineffective.

The Gap Between Compliance and Security

Retailers are subject to a myriad of compliance requirements around how to handle customer data and process transactions. The most significant of these requirements is called the Payment Card Industry Data Security Standard. Published by the Payment Card Industry Security Standards Council (PCI SSC), the leading compliance body for merchants and processors, PCI DSS outlines a set of 12 requirements for security that covers the construction and maintenance of secure networks, the protection of cardholder data, implementation of a vulnerability management program, guidelines for stronger access controls, the monitoring and testing of networks and the establishment of an overarching information security policy. But PCI DSS fails to address some key areas of vulnerability in the payment ecosystem, and these areas have been exploited with disastrous consequences. With many retailers spending more than $8 million to ensure their payment ecosystem complies with PCI DSS, it should come as no surprise that they are hesitant to invest heavily in additional security solutions. Hopefully the continuous drumbeat of retail breaches, each costing millions of dollars and significantly harming relationships with customers, will serve as a wake-up call for retailers who view compliance with PCI DSS as “good enough.”

Securing Payment Data in the Event of a Breach

What all this illustrates is that we need not focus on breach prevention, but on a security strategy that places the security of data at the forefront. This approach to data protection is referred to as securing the breach. Securing the breach means protecting sensitive data wherever it exists and limiting access to this data even when it lives in an uncontrolled, untrusted environment. We believe that encryption is the only truly effective way to secure data when a breach has occurred.

A lot has been written about encryption as a solution to the attacks that we have seen against retailers like Target and Neiman Marcus. Usually when encryption is discussed, it is related to a specific point of vulnerability that was exploited in the attack. The reality is, a successful transaction relies on a complicated ecosystem with many potential points of vulnerability; the ecosystem is only as strong as its weakest link. This payment ecosystem also involves several parties including the merchant, acquirer, switch and bank or card issuers.

Securing Devices at the Retail Point of Interaction (Point of Sale)

Building secure payment networks simply focusing on the four parties previously mentioned is still not enough. When we look at the payment ecosystem from a security perspective, we actually need to extend the scope to include the manufactures of payment terminals at the point of sale and developers of payment application software. Payment terminals, or point of interaction (POI) devices, have been around for decades. Like many devices, they have evolved to come in many different forms, with wide ranges of features and new methods of communication. POI devices are more connected than ever before, and this makes them an even more appealing target for an attacker. For this reason, many POI device manufacturers have begun to use a method of encryption to issue unique identities to payment terminals.  This method, called code signing, provides a way for the manufacturer or payment application provider to identify a terminal and secure push updates to the POI device in the field. Without code signing, an attacker could impersonate the manufacturer and deploy malware that could steal customer data right from the POI device.

Point-to-Point Encryption

The Target breach illustrated another area where additional encryption mechanisms related to the POI device are needed. You see, when credit card data is captured at a POI device it is traditionally sent in plain text, in the clear, to the point-of-sale system, meaning a hacker with the means to listen to the transmission would get all of the information on the card in an unencrypted state. For years, this vulnerability has been overlooked, as many Point-of-Sale (POS) systems provide encryption or tokenization after receiving the data. It can be overlooked no longer, as the ability and sophistication of hackers to skim and sniff POI-to-POS traffic is far beyond what was once thought possible.

A new breed of POI terminals is becoming available in the market. These terminals enable something called Point-to-Point Encryption (P2PE). P2PE encrypts card data from the earliest possible moment of its capture, and ensures that data remains in an encrypted state consistently until it arrives at the payment gateway. This approach, which was defined by the Payment Card Industry Security Standards Council (PCI SSC) is the cleanest approach to transaction protection introduced to date. In fact, many merchants are considering P2PE not only for its security, but also because it can effectively remove some of the merchant’s own security infrastructures from the scope of compliance with regulations such as PCI DSS.

eCommerce Encryption

These days just about every brick and mortar retailer has an eCommerce site. The growth of online shopping has made a retailer’s Web storefront integral to their success or failure. Securely capturing and processing consumer data via the Web poses different, but equally as challenging issues to what we see in the traditional retail environment.

In the case of eCommerce, the end retailer loses control of a large portion of the transaction interaction with the customer. Customers come to the Web storefront from different devices, operating systems and Web browsers, yet the retailers need a way to protect their customers’ data from the earliest possible moment. This is achieved by creating an encrypted tunnel, or session, between the consumer’s device and the retailer’s eCommerce system.

Retailers today depend on what’s called the secure socket layer (SSL) to provide this tunnel of encryption. SSL is a security protocol that enables two computers to establish a secure, encrypted communication session to allow private information to be transmitted across open networks such as the Internet.

Encryption: Only as Secure as the Security of Encryption Keys

We have discussed several different areas in which encryption can help to secure customer data, even when a retailer experiences a breach. It is important to note, however, that encryption solutions are not all created equal. Encryption relies on cryptographic keys to encrypt and decrypt data. The management of these keys and protection afforded to those keys is just as important as their use in various stages of the payment ecosystem. A sound key management strategy will include specific methods of limiting access to keys, defining how those keys are issued and distributed, and providing protections for the keys as they are stored. Without these considerations, keys could be copied, modified or even impersonated by a skilled hacker, who then may be able to access cardholder data.


Previous Post

Target Lessons – Another Reminder on Responding to Employee Concerns

Next Post

Reading the Tea Leaves from the Oral Arguments in the Conflict Minerals Rule Appeal – Should Companies Put Compliance on Hold?

Paul Hampton

Paul Hampton

About the Author Paul Hampton is Payments Product Manager for SafeNet, overseeing the development and strategy of payment encryption products and solutions. Mr. Hampton has 12 years of experience in the information security business and has previously held positions at Rolls-Royce and Citigroup. He holds a BS in Computer Science and Business and the CISSP and CISM certifications.

Related Posts

encompass update

Encompass Launches pKYC Maturity Model

by Corporate Compliance Insights
March 22, 2023

KYC automation platform Encompass has unveiled a new perpetual Know Your Customer (pKYC) maturity model designed to help banks improve...

consilio onna partnership

Consilio, Onna Seek to Streamline eDiscovery for Cloud Apps

by Corporate Compliance Insights
March 22, 2023

Legal technology provider Consilio has launched a new platform, Sightline Collect, powered by data management supplier Onna. The platform is...

corlytics solidatus partnership

Corlytics, Solidatus Join Forces

by Corporate Compliance Insights
March 22, 2023

Data management provider Solidatus and regulatory risk intelligence supplier Corlytics recently announced a partnership that is expected to give both...

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

Next Post
reading tea leaves

Reading the Tea Leaves from the Oral Arguments in the Conflict Minerals Rule Appeal – Should Companies Put Compliance on Hold?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT