A number of recent high-profile security breaches have highlighted the importance of enhanced data security for merchants. In response, companies of all sizes have taken steps to strengthen their infrastructure security, or “harden” their systems, servers, and databases, in order to protect sensitive data that resides “at rest” within their environment.
Sophisticated criminals have been steadily moving away from targeting companies’ systems/servers, shifting their approach towards the interception and harvest of data in transit, which is often unencrypted.
While Tokenization protects sensitive data “at rest” End-to-End Encryption is a fraud and risk reduction solution designed specifically to safeguard data that is “in transit”. Securing customer payment card data is essential. For many businesses, payment card data security and compliance remain key challenges. Global payments’ GlobalShield End-To-End Encryption solution offers an added layer of security for cardholder data. Once encrypted at the PIN Pad, card data travels securely and cannot be decrypted until it reaches the secure decryption environment at the Host.
Tokenization is a process by which the primary account number (PAN) is replaced with a surrogate value called a “token”. De-tokenization is the reverse process of redeeming a token for its associated PAN value. The security of an individual token relies predominantly on the infeasibility of determining the original PAN knowing only the surrogate value. Depending on the particular implementation of a tokenization solution, tokens used within merchant systems and applications may not need the same level of security protection associated with the use of PAN. Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS requirements.
The following key principles relating to the use of tokenization and its relationship to PCI DSS:
- Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply.
- Verifying the effectiveness of a tokenization implementation is necessary and includes confirming that PAN is not retrievable from any system component removed from the scope of PCI DSS. (Scoping SIG, Tokenization Taskforce PCI Security Standards Council August 2011).
Enhanced transactional security:
- The GlobalShield E2EE solution encrypts sensitive data at the point-of-sale and keeps it encrypted from end-to-end, thereby increasing the security of the merchant’s transactions.
- Simplified PCI compliance by securing cardholder data through E2EE, merchants may simplify the validation and cost of PCI DSS compliance.
Without E2EE: Sensitive card data, such as PAN and expiry date, are being sent between the PIN pad, PoS and the host. This leaves the data vulnerable to interception and risk of being compromised.
With E2EE: Sensitive card data is encrypted at the PIN pad and remains encrypted while in transit to the host. The host uses a private key to decrypt the data, then relays it outbound through the payment networks and to the issuers for authorization.
Key POS solution changes:
-Debit & Credit processing will now be on a combined TERM ID.
-New Term ID’s will be required for all merchants who adopt E2E.
-VAR’s and merchants will have a new URL route to our host to ensure transactions are directed to the correct E2E connection on our host systems.
-100% of all cards sent to the GP host will/must be encrypted. If they are not, the transaction will not make it past our E2E servers.
-Merchants will need to define what cards are not sending to GP for processing, so we can create a BIN exclusion file to ensure these gift and loyalty cards are not encrypted.
Features and Benefits:
The following highlights the key features and corresponding merchant benefits of the GlobalShield End-to-End Encryption solution:
Cost: At the time of launch, the GlobalShield E2EE solution for the E2EE authorization fee is 5cents per transaction.
GlobalShield E2EE is suitable for merchants who would like to:
-Enhance the level of security for transactional traffic within their environment
-Simplify their scope and PCI DSS
At this time, the Globalshield E2EE solution is available to merchants using E2EE certified integrated solution, on the Ingenico IPP320 PIN PAD and on the North Host Platform.