While it is important to know that EMV, Point-to-Pont Encryption (P2PE), and tokenization all share a core purpose of protecting payment transactions, it is even more important to understand that you don’t have to choose between these secure methods of defense. In fact, all three of these technologies can be used in the same environment to provide increased security.
In this post, we’d like to break down what these technologies are and how they can be used individually as well as together within the payment ecosystem.
EMV chip-based payment technology is used to prevent the duplication of payment card data, an often inexpensive attack carried out by criminals who seek to gain access to card numbers by purchasing large quantities of them on the Internet or even by using “skimming” devices placed over legitimate payment terminals or ATMs. EMV-enabled payment cards have an embedded cryptographic chip that is used in conjunction with a PIN to verify cardholder authenticity, as opposed to the simple magnetic stripe often used.
EMV cards further help prevent fraud by generating an Authorization Request Cryptogram (ARQC) when inserted into a payment acceptance device. This cryptogram is sent along with the transaction data and is checked by the card issuing organization using a hardware security module (HSM) prior to authorizing the transaction.
Point-to-Point Encryption protects cardholder data by encrypting it at the Point of Interaction (POI). The information remains encrypted through transit until it reaches the secure boundary of a FIPS 140-2 Level 3 and PCI HSM validated hardware security module, at which point it is safely decrypted without fear of tampering. P2PE is used most notably in retail environments as a way of protecting Primary Account Number (PAN) data from the moment it is captured at the POI. By implementing P2PE, organizations are able to improve their data security infrastructure while also reducing PCI DSS compliance scope and expense.
Tokenization protects PAN data in storage by removing it altogether, replacing it with an identifier known as a token. In typical financial applications of tokenization, a payment transaction occurs and the merchant retains only the token. The token is linked to that specific cardholder account and, by itself, has no worth to fraudsters. For processes such as refunds, returns, and additional purchases, the transaction token can be used by the processor to look up the PAN needed to process the appropriate transaction.
Beyond the effort associated with storing PAN data compliantly, storing important information as clear text poses an unnecessary risk regardless of protective measures taken. Implementing tokenization enables merchants to enjoy reduction of PCI DSS scope and cost as well as greatly reduced chances of security breach.
Covering All Your Bases
You can’t rely on strong security measures in just one area of your electronic payment infrastructure and expect to avoid a data breach. While each of these solutions improve security for sensitive cardholder data on their own, using all three simultaneously provides substantially greater benefit in protecting against fraudulent activity.
For example, EMV cards protect sensitive data by guarding against card “skimming” and counterfeiting, tokenization EMV replaces clear PAN data at rest with information not useful to fraudsters, and P2PE protects cardholder data while in transit. Each of these areas has a different focus, but all work together toward the same common goals.
By establishing a payments ecosystem incorporating EMV, P2PE, and tokenization, organizations can reduce the scope of PCI DSS compliance, reduce the risk of incurring a costly data breach, better protect digital payments, and establish themselves as leaders in the rapidly evolving field of payment data security.
Security of payment tokens
Payment tokens are important because they convert data captured during payment transactions, into unreadable strings. EMV payment token security originates with the restrictions on how payment tokens can be accessed, in terms of the method of payment account reference. Payment tokenization locates increased security in “vaultless tokenization,” a method which does away with the token vault to better protect digital payments. Payment processors in particular are well served by this form of tokenization.
Tokenization and EMV card preparation
In a typical system of EMV personalization, EMV data is prepared using personalization files and personalization information (e.g. personalization data for EMV), where the parameters of each are provided in advance according to the issuer, and keys created by the user A “standard” EMV personalization is described by standards such as CPP (Card Personalization Specifications). There are certain tags that are arranged according to a logic. Credit card numbers are stored in EMV personalization centers usually in highly secure buildings.
What is EMV tokenization?
EMV Payment Tokenization allows payment tokens for transactions involving transactions between merchant and card holders from purchase to payment authorization by card issuers and merchants.
The challenges and advantages of EMV tokenization
The acronym EMV means “Europay Mastercard Visa,” and is a standard developed by the payment institutions for which it is named. This technical framework uses standard technology for payment cards to increase card security via the use of near-field communication (NFC) chips. Other countries use additional security functions such as “chip and pin” in the United Kingdom for payments and other transactions. Tokenization refers to a cryptographic process whereby payment credentials (for example credit cards) are substituted with randomized strings called tokens.