Payment Security: Cutting Through the Terms

Merchants are intensely concerned about payment security. And rightly so, considering the destructive costs of data breaches. However when you try to explain PCI compliance, you probably notice their eyes glazing over.

If you want a busy merchant’s cooperation, you’ve got to be able to explain payment security in terms that are simple and direct. Unfortunately, in the busyness of merchant services, security terms and concepts can be sometimes become a little fuzzy for all of us.

Let’s review some data security terms and what they mean to you. By understanding the foundations of payment security, acquirers can communicate the priority of PCI certification to your merchants, as well as making sure your payment solutions are meeting merchants’ needs.

Here’s What You Need to Know:

PCI SSC: PCI SSC (Payment Card Industry Security Standards Council) is an independent group that sets, develops and modifies globally accepted payment card industry security standards. PCI is supported by all the major brands, although merchants may not be quite so enthusiastic about the work involved in meeting requirements. Remember that the PCI SSC website is an invaluable resource for merchants and acquirers alike: you can find everything from basic information pamphlets to in-depth technical requirements.  

PCI DSS: PCI DSS is the list of data security standards merchants must follow. PCI DSS standards vary based on the merchant’s payment scenario. As security risks and payment technologies evolve, these standards are regularly revised, so it’s important to make sure your merchants remain in compliance with changes.

PCI SAQ: The PCI SAQ (self assessment questionnaire) is a document merchants are required to complete annually and submit to their acquirer. This document, along with a signed AoC (Attestation of Compliance) certifies that the merchant is in compliance with PCI standards. There are several different SAQ categories based on a merchant’s payment scenario. It’s important for your merchant to follow the applicable SAQ.

EMV: Standing for Europay, Mastercard, Visa, EMV is a consortium supported by the 5 major payment brands that governs standards for chip card payments. EMV is responsible for the widespread adoption of tokenization as an encryption form for chip card transactions, and the resultant 75% drop in card-present transaction fraud.

Encryption: Encryption is the general term referring to the process of converting data to a code using an algorithm and a key. Secure encryption of PAN data is critical for payment security, and there are several methods by which it is accomplished depending on the processing environment. Encryption and tokenization are both effective means of protecting cardholder data, but in general tokenization is preferred due to faster processing times. Which leads us to...

Tokenization: Tokenization is a cryptographic method by which sensitive data is replaced with a token. The data can’t be decrypted without a token key, stored securely in at the processing end. Tokenization is used quite successfully in EMV chip card transactions, as it renders stolen data useless. Tokenization is also used in CNP channels, though not exclusively. Visa Checkout, Masterpass and Paypal all utilize tokenization for ecommerce payments.

P2PE: Point to Point Encryption is a data security standard that ensures the encryption of cardholder data at the point of the transaction terminal. Developed by PCI, P2PE is the gold standard for data security. Merchants who meet P2PE standards are ensuring the greatest security for themselves and their customers, although meeting these specifications is no walk in the park for acquirers or merchants.  

E2EE: End to End Encryption is a catch-all term for various encryption solutions used in the market that encrypt data from the merchant’s terminal. E2EE is not the same as P2PE. E2EE is not supported by PCI and does not qualify merchants for a PCI scope reduction. E2EE effectiveness depends largely on the compliance of the providers involved in the transaction chain, and there is no group providing oversight or ensuring implementation.

When possible, P2PE is a better security option for your merchants; however P2PE is not available for all payment scenarios. In these cases, it is reasonable to offer merchants an E2EE solution.

Merchant services is no job for slackers. It’s a juggling act of processing, billing, customer service and marketing. And when you throw in ever-changing security requirements? It’s easy for the details to get lost in the shuffle. With a good understanding of data security, you can explain these concepts effectively to your merchants. In the long run, clear communications will mean better security for your merchants. Make sure the facts aren’t being obscured by the buzzwords.

in Security, Technology, Best Practices