IDG Contributor Network: P2PE is not what your CIO thinks it is

I have been traveling around the world since late 2013 speaking at conferences on Point-to-Point Encryption (P2PE). It has taken me to places like Bangkok, Singapore, Sau Paulo, Vancouver, Banff, Barcelona and London. Early on, I would get a lot of blank stares and nods but little interest or interaction from the audience. At that time, it seemed that the general response was that security was just something that merchants had to do for compliance. The risks were largely unknown. After a few card data breaches from major merchants like Target, Home Depot and UPS, merchants started to take notice as the risks of getting it wrong took center stage. There were about 1,600 breaches last year, that’s an average of 30 per week. And, those are only the reported breaches. A “breach” only hits the press when the hacker does something wrong and gets found out. And, this is bad news for the hacker because once their Malware is found, the holes are shortly plugged and the flow of card data stops. The ultimate goal for hackers is to hide in the weeds of unsuspecting and unprotected merchant systems and silently exfiltrate valuable card data over as long a period of time as they can.

Don’t confuse P2PE with EMV

Before we talk about P2PE, let’s discuss the technology that stole the show in the wake of the high-profile card breaches: chipcards aka EMV. EMV helps a merchants’ Point of Sale (POS) system tell the difference between a fake plastic card and a real credit or debit card. Unfortunately, because of the timing of the release of this technology in the US, a lot of merchants confused chip cards, an anti-fraud tool that helps protect against physical fraud, with other data security technologies that protect the data from being stolen in the first place. Security and Fraud are two very different concepts. Data insecurity exposes the card data to cyberattacks by hackers. Hackers then sell the card data online to fraudsters who then use the card data to commit fraud.

Fraud is at the tail-end of the process; it is the actual using of the hacked card data. Card breaches feed fraud; breached card data is the raw material used to commit fraud. So, why then would an anti-fraud tool, like EMV chipcards, be expected to do anything to secure the data in the first place? It’s like stamping your name and address on a bar of gold and setting it out on the lawn, instead of just locking the gold up in a vault. One tells you who owns the gold, the other secures the gold from theft.

Many technology professionals are surprised to see the full, clear text sixteen-digit card numbers on their network after implementing EMV chip card readers. Counterfeit cards represent less than 0.05% – that’s 5% of 1% of all transaction dollar volume. That’s a relatively small issue compared to thousands of major merchants and millions of cards being exposed every year because of a lack of encryption. However, both technologies have their place and I am glad to see that P2PE is finally getting its time in the spotlight. In a perfect world, merchants would have added encryption to their card acceptance machines simultaneously when upgrading to accept chip cards. But it’s not a perfect world. To make things worse, probably 80% of all devices that support chip cards can already support P2PE. Most merchants just haven’t turned it on because of a lack of education and priority.