Dara Security

Understanding Chip & PIN and P2PE

November 05, 2014

As credit card fraud has increased in recent months, merchants have worked towards replacing the traditional magnetic stripe credit card with the more secure "Chip & PIN", "encrypted swipe", or "EMV" solution. As the momentum builds towards this enhanced security solution for card transactions, it's worthwhile to understand what this new technology means for consumers and merchants.

When Will Chip & PIN Enter the U.S.

Chip & PIN technology has been used in Europe for years. In the US, full adoption of Chip & PIN is mandated by the card brands for all merchants by October 2015. If a merchant does not implement Chip & PIN technology by this date, the merchant will be liable for all transactions made by a fraudulent card at their location.

Chip & PIN technology aims to reduce credit card fraud for card-present transactions. Card-present transactions are those made in person at a store with a physical credit card. However, Chip & PIN technology does not prevent credit card fraud for transactions where the credit card is not required to be physically present. Online and mail/telephone purchases are transactions that are still susceptible to fraud despite the use of Chip & PIN technology.

Why Move to a Chip & PIN System

A Chip & PIN transaction is very similar to a debit transaction. When a consumer makes a payment with a Chip & PIN card, the consumer will insert the "Chip-enabled" card into a card reader slot. No longer will the card need to be swiped as with traditional magnetic stripe cards. Next, the consumer enters the PIN number just as one would do if using a debit card. If the PIN number is valid for the Chip & PIN card, the transaction will be processed. Otherwise, the transaction will not be approved.

Just as with a debit card, a PIN number associated with the Chip & PIN card must be entered in order for a transaction to go through. If the PIN is not known, then one cannot make a card-present transaction at a Chip & PIN terminal. Nor can a criminal create a fraudulent copy of the card and use it at Chip & PIN terminal since the Pin number must be entered for the transaction to be approved.

Security Risks of Chip & PIN Cards

However, Chip & PIN cards are not as hacker-proof as they are touted to be. When a card reader reads the data off a Chip & PIN card, the data is in clear-text which means that the data is just as vulnerable as with a traditional magnetic stripe card. Criminals can use Chip & PIN card data for e-commerce or telephone transactions where a physical card need not be present. Also, a criminal can duplicate the card and use the fraudulent copy at merchants that do not support Chip & PIN technology. Furthermore, with the captured credit card account number, cardholder name and address (yes, this data is on your credit card), criminals have all they need to begin perpetrating the greater crime of true "Identity Theft." In essence, Chip & PIN technology does not completely protect the consumer from credit card fraud. Although Chip & PIN cards make it more difficult for a criminal to create and successfully use fraudulent cards, consumer data can still be stolen.

So if Chip & PIN does not fully protect the consumer from credit card fraud, what will? Although security is never 100% guaranteed, a technology known as Point-to-Point-Encryption or P2PE can provide more protection compared to Chip & PIN. With P2PE, a consumer's cardholder data is encrypted by the card reader as soon as the data is entered into the device. With encryption, the cardholder data is rendered meaningless unless the right information is used to decrypt it. Once captured, the data remains encrypted throughout the transaction path until it arrives at the merchant's payment processor. No device within the merchant's environment has the ability to decrypt the cardholder data. The data is only decrypted once it reaches the payment processor.

How Does P2PE Help Secure Data

With P2PE, an attacker who breaches the merchant's network could only capture encrypted data and not the clear-text information captured in recent data breaches or data that could be captured in a Chip & PIN deployment. P2PE clearly provides consumers a more secure technology for their credit card transactions. Furthermore, P2PE benefits merchants because it helps reduce the impact of PCI DSS and many state data protection acts required on the merchant environment.

Understandably, consumers are frustrated as they don't know how secure their data is when using their credit cards. Consumers can also become apathetic and accept data breaches as inevitable occurrences. Despite consumer sentiment, consumers have the responsibility to question the security of the merchants they visit. A reasonable question would be if the merchant has upgraded their Point-of-Sale systems to be more secure. To help prevent future security breaches, consumers must ask these types of questions and merchants must be ready to answer them.

Similar to consumers, merchants are frustrated as they're faced with a deadline for Chip & PIN deployment and the decision to implement P2PE, two technologies that may not be entirely clear. Adopting Chip & PIN and/or P2PE can be costly, involving not only a hardware upgrade but possibly also involving an upgrade to the Point-of-Sale software. In addition, the merchant must ensure that their environment has been deployed correctly in order to fully realize the additional security afforded by these new technologies. Understanding these technologies and what it means to implement them are critical if merchants are to provide the most secure environment possible for their consumers' data.

Dara Security is Certified to Help You Stay Safe

With emerging technologies and increasing breaches, it is critical for merchants to seek the experts in securing their data. Dara Security has extensive knowledge in Chip & PIN and P2PE technology. Our PCI QSA, Payment Application QSA, and P2PE certifications show that we have the skills to advise merchants on the latest technologies and can validate proper implementation of these technologies. We have successfully helped many clients achieve a more secure environment which has enabled them to further protect their consumers' data.