EMV, P2PE, and Tokenization: Which is Right for Me?
While it is important to know that EMV, Point-to-Pont Encryption (P2PE), and tokenization all share a core purpose of protecting sensitive cardholder data, it is even more important to understand that you don’t have to choose between these methods of defense. In fact, all three of these technologies can be used in the same environment to protect critical data in every stage of use.
In this post, I’d like to break down what these technologies are and how they can be used individually as well as together:
EMV chip-based payment technology is used to prevent card duplication, an often inexpensive attack carried out by criminals who fraudulently gather card numbers by purchasing large quantities of them on the Internet or even by using “skimming” devices placed over legitimate payment terminals or ATMs. EMV-enabled payment cards have an embedded cryptographic chip that is used in conjunction with a PIN to verify cardholder authenticity, as opposed to the simple magnetic stripe often used.
EMV cards further help prevent fraud by generating an Authorization Request Cryptogram (ARQC) when inserted into a payment acceptance device. This cryptogram is sent along with the transaction data and is checked by the card issuing organization using a hardware security module (HSM) prior to authorizing the transaction.
Point-to-Point Encryption protects cardholder data by encrypting it at the Point of Interaction (POI). The information remains encrypted through transit until it reaches the secure boundary of a FIPS 140-2 Level 3 and PCI HSM validated hardware security module, at which point it is safely decrypted without fear of tampering. P2PE is used most notably in retail environments as a way of protecting Primary Account Number (PAN) data from the moment it is captured at the POI. By implementing P2PE, organizations are able to improve their data security infrastructure while also reducing PCI DSS compliance scope and expense.
Tokenization protects PAN data in storage by removing it altogether, replacing it with an identifier known as a token. In typical financial applications of tokenization, a payment transaction occurs and the merchant retains only the token. The token is linked to that specific cardholder account and, by itself, has no worth to fraudsters. For processes such as refunds, returns, and additional purchases, the transaction token can be used by the processor to look up the PAN needed to process the appropriate transaction.
Beyond the effort associated with storing PAN data compliantly, storing important information as clear text poses an unnecessary risk regardless of protective measures taken. Implementing tokenization enables merchants to enjoy reduction of PCI DSS scope and cost as well as greatly reduced chances of security breach.
Covering All Your Bases
You can’t rely on strong security measures in just one area of your electronic payment infrastructure and expect to avoid a data breach. While each of these solutions improve security for sensitive cardholder data on their own, using all three simultaneously provides substantially greater benefit in protecting against fraudulent activity.
For example, EMV cards protect sensitive data by guarding against card “skimming” and counterfeiting, tokenization replaces clear PAN data at rest with information not useful to fraudsters, and P2PE protects cardholder data while in transit. Each of these areas has a different focus, but all work together toward the same common goals.
By establishing a payments ecosystem incorporating EMV, P2PE, and tokenization, organizations can reduce the scope of PCI DSS compliance, reduce the risk of incurring a costly data breach, and establish themselves as leaders in the rapidly evolving field of payment data security.