EMV & Encryption. Helping Restaurants avoid Payment Fraud

In an earlier blog post, we looked at EMV. A related topic of interest for restaurant operators is Encryption. Restaurants are one of the most common targets of payment data theft, and EMV and Encryption work together to mitigate this risk.

EMV refers to the “Europay Mastercard Visa” standard. EMV contains security measures contained within the payment card itself. It is the card, and specifically the chip itself, that contains card and payment data, and it can employ either the “chip-and-PIN” or “chip-and-signature” cardholder verification methods (CVM).

The chip provides increased security and protection against liability for fraud. If you have EMV hardware, and the customer first uses the chip, you will (as a general rule) not face liability for fraudulent charges — even if the customer later goes on to use the magstripe to process the payment. Chip cards are also much harder to counterfeit, as merely knowing the card number and name of the cardholder, and data from the magstripe, are insufficient to make a counterfeit chip card. The unique data on the chip is needed, and a counterfeit chip is difficult if not impossible to produce. If you still use outdated magstripe card reader hardware, fraudsters can use counterfeit cards at your restaurant, making you liable for fraudulent charges. If you’ve moved to EMV readers and require the use of the Chip, or at least attempt to do so before accepting magstripe as a fallback method, you will not be liable for a fraudulent charge.

So, what is Encryption? It is a related technology that works with and complements EMV, by adding a layer of security.

Encryption is a security measure that is contained within the card reading terminal. The general principle is to encrypt data at the point of entry into the payment system and decrypt it at the payment processor’s end. In some cases, the data can be decrypted and re-encrypted at one or more steps during the process by intermediate payment providers (e.g. gateway providers, acquirers, or ISOs ).

There are two different terminologies in common use to describe encryption schemes: The first is E2EE (End-to-end-encryption) which is a catch-all term used to describe many types of proprietary encryption schemes, some of which have already been in use by individual US acquiring banks for many years already.

The second is P2PE (Point-to-point-encryption) which is a more recent encryption scheme that has been standardized by the Payment Card Industry (PCI) — the latest version of the standard (PCI P2PE 2.0) was released in June 2014. Besides being more widely recognized, this standard provides the added benefit of allowing merchants to significantly reduce the scope of their annual PCI DSS audits. This is because PCI acknowledges the reduction of scope in the CDE (Cardholder Data Environment) afforded by P2PE solutions, but does not acknowledge this reduction in the case of proprietary E2EE solutions.

In both cases, the processor manages the cryptographic keys. The merchant never has access to the keys or the cardholder data.

According to the Smart Card Alliance, encryption is valuable to the merchant because:

• It encrypts the PAN (Primary Account Number) and/or the transaction, so there’s no opportunity to monetize the data.
• Eliminates the risk of monetization by a data thief, since data that can’t be decrypted can’t be used.
• Works on the principle that “all organizations should assume they’ve been hacked”.
• Can reduce the scope of a merchant’s PCI DSS Compliance efforts (in the case of P2PE).

EMV and encryption are two different security technologies that work in unison to create a stronger data protection and fraud prevention environment.