Best practices for securing cardholder data

Organizations that accept payment cards should consider employing a technology that can improve payment data security by encrypting card data at the point of acceptance.

The technology is called “point-to-point encryption” (P2PE). When a P2PE solution has been validated to align with the Payment Card Industry Data Security Standard, it can both protect an organization against cybercrime and minimize its exposure to compliance violations.

Responding to ever-shifting trends and consumer preferences, retailers are experts at finding innovative ways to gain a competitive edge. They were early adopters of technology that streamlined online checkout to boost sales and attract new customers. Now, they’re finding that offering more consumer-friendly payment options improves sales and reduces cart abandonment.

The rising threat of cybercrime

As consumer preference for digital payment options increases, so does the likelihood of data breaches, ransomware, hacking and other fraud events.

According to an IBM study, the average cost of a data breach in the U.S. is $9.44 million and the average cost of a ransomware attack is $5.54 million. In addition to these direct financial costs, cybercrime events increase the risk businesses face of incurring fines and penalties related to compliance violations once data compromises have been revealed.

Businesses that want to protect their brand need to ensure their payment data and digital transactions are secure with solutions that reduce both business and compliance risk.

What is P2PE encryption?

Point-to-point encryption is a technology that encrypts cardholder data at the point of checkout, in-person or online. Encrypted payment data bypasses the business’s payment environment and is sent directly to the processor where it is decrypted. Using a combination of secure devices, applications and processes, encryption turns sensitive payment information into an unreadable code, removing any value to cybercriminals.

P2PE technology provides a layer of security that:

• Safeguards from the point of entry
  P2PE encrypts cardholder data in the card reader, protecting against attacks that target payment data at the point of acceptance.
• Secures data in transit
  Encrypted data can safely be transferred over the network to a secure payment gateway that transmits the data to a processor to complete the transaction authorization. Encrypted data can be tokenized and returned to the merchant where it can be safely stored in the merchant's environment for future payment transactions.
• Reduces Payment Card Industry Data Security Standard (PCI DSS) validation scope
  By instantly encrypting data in motion rather than storing it within a business’ systems, PCI-validated P2PE reduces the scope (and associated resources and costs) for PCI DSS compliance validation.

What is the Payment Card Industry Data Security Standard – and why is validation important?

PCI DSS is a globally recognized security standard for protecting payment card data. It’s designed to ensure that all companies handling payment card information maintain a secure environment and requires compliance from all organizations that accept, process, store or transmit card data. In other words, all businesses that accept payment cards must comply.

Failure to comply with PCI DSS can result in significant fines and other penalties, including potential disruptions to business operations.

While P2PE encryption is a valuable tool in securing payment information, only PCI-validated P2PE solutions can effectively minimize your exposure to compliance violations and cybercrime.

A PCI-validated solution means the PCI Security Standards Council has validated that the solution conforms to their security requirements. PCI-validated solution benefits include:

• The highest level of innovative payment data security
• Reduction of the scope, time and costs associated with PCI DSS compliance validation
• Brand reputation and payment card data security that meets the established PCI DSS security standard

P2PE solutions and providers

P2PE solution providers offer a range of services that include:

• Managing the encryption process at the point of transaction (the first "point" in "point-to-point encryption")
• Maintaining application security elements such as encryption software
• Managing effective installation and use of the provider's solution
• Monitoring decryption environment requirements concerning cryptographic security
• Managing cryptographic key operations that perform encryption and decryption

You can visit the PCI Security Standards Council website for a list of P2PE encryption solutions and providers.

If you’d like to learn more about how the right transaction security partner can help protect your customer payment data and your brand, we can help. Complete this form to have one of our specialists contact you.