Payment cards as we know them – plastic rectangles with magnetic stripes – have been around since the 1970s. Every swipe you make with a credit or debit card is a salute to technology that is nearly a half-century old.
While the durability of this almost-ancient technology is impressive, the limitations of 20th-century equipment have become painfully obvious in today’s digital marketplace. Financial institutions and payment companies are pushing more advanced systems like EMV, point-to-point encryption (P2PE) and tokenization.
Restaurateurs need to know the differences between these systems, as well as the pros and cons of what they offer. The Restaurant Technology Guys are here to examine the systems that will protect your data in the future.
EMV is a transaction security standard for integrated circuit payment cards, point-of-sale (POS) terminals, and ATMs. EMV has introduced the use of “chip cards,” or credit cards with a built-in computer chip.
Originally created by Europay, MasterCard and Visa, the corporation that oversees EMV now includes American Express, Discover, JCB and China UnionPay. Unlike the magnetic stripe on traditional debit and credit cards, which contains unchanging information that can be accessed by counterfeiters, chip cards create a unique code for every transaction that cannot be duplicated or used again.
Unique transaction codes make EMV significantly more secure than credit cards with a magnetic strip. This security means that merchants have stronger protections against data security breaches, as well as a reduction in costs related to fraudulent card activity.
According to Mariners Business Solutions, EMV-capable terminals will provide more convenience by allowing wireless and mobile payments, increasing convenience, and decreasing checkout times. Incentives for converting to EMV terminals before the mandated date will also reduce expenses by offsetting conversion-related costs.
Converting to EMV comes with several downsides, of course. The first three, in order, are cost, cost, and cost.
As NerdWallet notes, merchants will have to purchase as many as 15 million new terminals and POS systems to accommodate the new cards, which may cost up to $7 billion in total. The same estimate considers the cost of replacing more than a billion credit and debit cards ($1.4 billion) and 350,000 ATMs that will need to be replaced ($500 million).
Outside of cost, creating all of those unique transaction codes will require a higher level of data transmission, which could slow down processing times and require additional updates. Finally, because EMV cards can be accessed wirelessly, privacy issues are an ongoing concern, even though the data will be encrypted.
Point-to-point encryption (P2PE) limits the exposure of credit card numbers and information by establishing a secure links between communicating devices, while preventing other devices from accessing the information while in transit.
These POS systems encrypt data at the card scanner touch point, before it is processed by a terminal.
This encryption protects your restaurant by taking it out of the seceurity loop completely, which discourages any would-be eavesdroppers or malware infections from reaching into your POS. Access to transactional information is impossible without access to the encryption key in P2PE.
In addition to the increased safety provided by this form of encryption, Search Security points out that P2PE reduces the scope of necessary security efforts at the merchant level. If the card scanner hardware is put in place, only the backend systems would be vulnerable to decryption, reducing the number of systems that require constant monitoring and compliance.
Like EMV, instituting point-to-point encryption on a wide scale has been slowed by cost. In addition to upgraded POS software and hardware, vendors may increase merchant transaction fees, as their assumption of risk increases under this security system.
Of course, an encrypted system is only as good as the key that unlocks it. If hackers or other miscreants are able to obtain decryption keys for a P2PE network, that network becomes wide open for foul play. Protecting sensitive information will only be possible if devices that are outside of the system cannot access these keys.
Like P2PE, tokenization is a form of encryption. Unlike P2PE, tokenization guards against access to sensitive information by substituting critical data points with unusable figures that can only be restored by the token holder. This method makes sensitive information much more difficult to reach as it passes between the POS system and the card provider.
Tokenization is supported by several high-level financial institutions. Apple has included it in their growing Apple Pay service, and Visa also uses a version of tokenization.
Restaurants and other establishments that use tokenization are less vulnerable to data breaches, according to Data Cap Systems, since they no longer have the valuable information that thieves are searching for. The transmitted information appears as random, valueless numbers without the decryption token.
This form of security has become more popular because it allows businesses, especially small businesses, to protect their customer’s information.
Investing in tokenization allows small businesses to reduce their own security needs since there is no value in targeting their POS system.
The drawbacks of tokenization are worth considering as well. Like the two systems discussed above, tokenization is a stronger form of security when compared to the current system of payment cards, but it is not foolproof.
As this form of encryption has proliferated among merchants, the tokenization systems and token holders themselves have become targets for criminals. Similar to P2PE, tokenization encryption only holds up if the decryption information remains safe from would-be fraudsters.
Finally, to continue a running theme of the “drawbacks” sections, implementing a tokenization system requires both hardware and software updates that will be cost-prohibitive for many restaurants and other companies. Installing these systems could lead to increased prices for customers as businesses try to offset the costs.