This article was first published in the Spring 2015 issue of OnWindows
While the vast majority of countries across the globe have been using EMV-standard cards for some time, the US has lagged behind. However, with cyber-crime continuing to threaten citizens across the country, it has become abundantly clear that US financial entities need to step up.
“Last year, millions of Americans became victims of identity theft,” said US president Barack Obama at the recent Consumer Financial Protection Bureau in Washington. “These crimes don’t just cost companies and consumers billions of dollars every year, they also threaten the economic security of middle-class Americans who have worked really hard for a lifetime to build some sort of security. The idea that somebody halfway around the world could run up thousands of dollars in charges in your name just because they stole your number, or because you swiped your card at the wrong place in the wrong time, that’s infuriating.”
Stopping it requires issuers and merchants across the US to shift to EMV. “We’re going to begin making sure that credit cards and credit-card readers issued by the US government come equipped with two new layers of protection: a microchip in the card that’s harder for thieves to clone than a magnetic strip, and a pin number you enter into the reader just as you do with an ATM,” Obama explained. “We know this technology works. When Britain switched to a chip-and-pin system, they cut fraud in stores by 70%.”
In an attempt to make progress in this regard, the major credit card brands are demanding that new payment security standards be adopted in the US as of October 2015. This means that after this date, those issuers and merchants using non-EMV compliant devices that choose to accept transactions made with EMV-compliant cards assume liability for any and all transactions that are found to be fraudulent.
On the back of this, according to The Payments Security Task Force, by the end of the year, 575 million chip cards will be issued by the end of 2015, representing about 71% of credit cards and 41% of debit cards. This represents real progress given the scale and complexity of this overall effort.
However, in this new environment, it is more important than ever that issuers and merchants remain focused on security. “Navigating a payments landscape that continues to evolve means that new threats emerge with increasing regularity,” says Christopher Kronenthal, chief technology officer at FreedomPay. “What’s more is that while EMV technology confirms that the card and the cardholder belong together, it does not encrypt the payment data passing through the merchant’s environment on the way to the payment processor.”
In response to this, the Payments Card Industry (PCI) council has established a set of standards that seek to make payments more secure and easier for merchants to manage. “Specifically, PCI’s point-to-point encryption (P2PE) standard meticulously defines the procedures that a payment solution provider must adhere to and, in doing so, enables merchants to process payments securely while keeping their network environment completely out of scope for PCI security audits,” says Kronenthal. “With P2PE, transactions are entirely encrypted before they even enter the merchant’s location, essentially removing cardholder data from the merchant’s POS and network.”
Many vendors in the payments industry are claiming to offer P2PE, usually bundled with a POS system and/or payment terminal and/or payment gateway. However, as Kronenthal cautions, merchants must beware of false claims and misstatements. “Any P2PE solution that does not adhere to the stated PCI requirements and has not been listed by the PCI Security Council as validated P2PE will not take the merchant’s POS and supporting network infrastructure out of scope of compliance,” he says.
FreedomPay has reinvented its business according to the strict standard required by PCI for point-to-point encryption. The exacting process of achieving PCI validation for P2PE has resulted in FreedomPay building a platform that delivers merchants immediate benefits around payment security and scope reduction, as well as ongoing opportunities to innovate and add value.
“Initially, we have partnered with Ingenico Group and ScanSource to deliver all facets of the P2PE solution,” says Kronenthal. “Ingenico’s best-in-class hardware and ScanSource’s secure distribution and key injection capabilities have been fully vetted as part of the PCI P2PE assessment process, offering merchants in any industry the flexibility to roll out a variety of compliant devices, which support traditional magnetic stripe payments, as well as EMV and NFC.”
As North America’s first fully-functional PCI-validated P2PE platform with EMV and NFC-ready terminals, FreedomPay is setting the standard for merchants to deliver a customer experience based on security, functionality and intelligence. “It is here, at the intersection of payments and data, that FreedomPay is able to deliver on its promise to merchants to make payments smarter, simpler and more secure,” says Kronenthal.
Share this story