Protecting customer data at the point of sale

We speak to Microsoft’s Pinar Salk to understand how innovations in point-to-point encryption are helping retailers and merchants to provide a more secure POS experience for their customers

By Rebecca Gibson on 24 August 2016

Protecting customer data at the point of sale

This article first appeared in the Summer 2016 issue of The Record.

Juniper Research predicts that rapid digitisation of the enterprise space will raise the cost of data breaches to US$2.1 trillion globally by 2019, almost four times the cost of breaches in 2015. In fact, British insurance firm Lloyd’s estimated that cyber attacks already cost businesses up to US$400 billion a year, which includes direct damage plus post-attack disruption.

“The growing cost of increasingly sophisticated cybercrime has made security a top priority for retailers at the POS, whether customers are purchasing products online via their smartphone, at an interactive in-store kiosk or a traditional cash register,” says Pinar Salk, Microsoft’s industry solutions director for Retail.

Today, any organisation or merchant that captures, transmits, processes or stores any cardholder data must adhere to the global Payment Card Industry Data Security Standard (PCI DSS), which aims to reduce credit and debit card fraud. In addition, financial institutions in Europe, Latin America, Asia Pacific, Canada and the US issue chip-and-pin or contactless credit and debit cards that meet Europay, MasterCard and Visa (EMV) standards, while merchants and retailers operate EMV-ready POS devices.

“Although EMV technology confirms that cards and cardholders belong together, it doesn’t encrypt card data passing from the merchant to the payment processor, leaving it vulnerable,” explains Salk. “As retailers and merchants, rather than banks, are now liable for fraud if they do not have EMV-ready POS terminals, they’re looking for ways to protect card data quickly and easily.”

According to Salk, point-to-point encryption (P2PE) is the “most logical route” to protecting the retail environment with minimal cost and effort, particularly as retailers adopt new payment technologies, such as mobile and contactless cards.

“P2PE is a payment security solution that ensures confidential credit and debit card data is encrypted at all times, from the moment the customer inserts or taps their card at the POS, to the moment the payment is authorised by a third-party payment processor,” she explains. “It secures all devices, applications, servers, databases and IT systems involved in the transaction process, and because the card data is instantly converted into indecipherable code, fraudsters are only able to access useless information. P2PE is the quickest, cheapest and most convenient way for retailers to protect their customers’ privacy.”

Most importantly, Salk highlights, implementing a PCI-verified P2PE solution reduces the costs, time and complexity associated with completing PCI DSS audits.

“PCI DSS compliance is required for all systems involved with the credit card processing, so retailers and merchants must typically audit 284 controls each year to prove PCI compliance,” she says. “However, P2PE reduces this to just 19 because they no longer need to evaluate the POS, operating systems and internal networks. Plus, penetration tests and vulnerability scans are no longer required.”

Microsoft’s go-to-market P2PE partner is FreedomPay, which has developed the world’s first PCI-validated P2PE payments solution with EMV, NFC and real-time data capabilities on Microsoft Azure.

“Card data from a retailer’s POS is encrypted and then decrypted inside the FreedomPay Commerce Platform’s hybrid cloud infrastructure before it is securely transmitted to payment processor for authorisation,”

To date, the platform has helped multiple retailers, hospitality providers and other organisations to protect customers’ data. Food service provider Compass Group, for example, now relies on FreedomPay’s solution to securely process customers’ mobile transactions via its EMV-ready payment terminals at dining venues in more than 50 countries worldwide, including at Microsoft’s headquarters in Redmond, US. Not only have the card data tokenisation capabilities increased Compass Groups’ transaction capacity and made payments secure, but they have also boosted sales and enhanced customer satisfaction.

Salk expects payments to become even more secure over the next year as more retailers continue to adopt POS systems powered by Microsoft’s Windows 10 operating system, launched in July 2015.

“Windows 10 provides maximum protection against malware – today’s biggest cybersecurity threat – while the built-in mobile device management features and the multi-factor identification and authentication capabilities make it easier for retailers to secure POS devices. Together with our partners, Microsoft is leading the way in P2PE and significantly enhancing POS security for our retail clients and their customers.”