Securing Embedded Payments: The Role of Encryption and Tokenization
Data breaches, data compromises, identity theft, hacked accounts. It's not a matter of whether consumers or businesses will be targeted, but a matter of when.
According to IBM’s 2022 Cost of a Data Breach Report, ransomware attacks have skyrocketed (41% from 2021 to 2022), and the average U.S. cost of $9.44M for a breach is more than double the average global cost of $4.35M.
Ensuring that financial and sensitive information is protected from hackers is the responsibility of every party that receives, transmits and stores data – including the merchant, payment gateway, financial institution and third-party vendors.
In the ongoing fight to protect payment and sensitive data, two technologies – encryption and tokenization – have emerged as integral to a holistic security strategy. Each can serve a specific purpose based on acceptance channel or can serve multiple purposes depending on business use case and implementation.
But choosing the best security solution for your business – particularly in embedded payments – isn’t always easy. Today we boil down the mechanisms and uses of encryption and tokenization and considerations when choosing a solution for your business.
Defining payment data and sensitive data
“Data breach” became a household term in 2013, when cybercriminals stole 40 million credit and debit card records and 70 million customer records from Target. This watershed breach was soon followed by a series of other attacks against major brands, including Home Depot, Michael’s, Neiman Marcus, Sally Beauty, PF Chang’s and more.
Retail and hospitality were prime hacker targets because the initial focus was payment card data, which could be quickly sold on the Dark Web. But as breaches became more commonplace and attack vectors evolved, hackers realized the enormous market for consumer data, including addresses, emails and social security numbers, and expanded their attack surface to include healthcare, higher education, insurance and more.
Today’s fraudsters target everything and anything. Essentially, any piece of consumer information gained from a hack can be monetized. Payment data and sensitive data can encompass the following:
- Credit /debit card and ACH account data – Credit / debit card numbers, expiration dates and CVV’s or ACH account data, including bank account information. Depending on what information is transmitted in a financial transaction, it can also include Personally Identifiable Information (PII).
- Personally Identifiable Information (PII) – First and last name, home address, birthdate, social security number, driver’s license number, email address and more. This is information that is both publicly available via the web in a Google search and information that is private to the consumer.
- Protected Health Information (PHI) – Medical records, health conditions, prescriptions, appointments, clinical trials, insurance numbers. Depending on the item breached, PHI can also include debit / credit card data and PII.
Security solution: encryption
Encryption stretches all the way back to 1900 BC when the first evidence of cryptography, the underlying scheme for encryption, was found in an Egyptian tomb.
At its core, the goal of all encryption solutions is to scramble data so that its original makeup – whether letters or numbers – cannot be deciphered by a hacker. The only way to “unscramble” the data is with an encryption key held by one of the parties in the payment or data acceptance and transmission process.
In payment processing, encryption is most often used for card present transactions to secure payment data upon dip, tap or key entry in a payment terminal. There are two primary types of payment encryption offered for card present transactions:
- PCI-validated point-to-point encryption (P2PE). P2PE was introduced by the Payment Card Industry (PCI) Security Standards Council (SSC) in 2013 to provide a uniform method and process for payment terminal encryption. P2PE requires that payment card data be encrypted immediately upon entry into the payment terminal and cannot be decrypted until securely transported to, and processed by, the payment processor.
To provide P2PE, payment gateways, payment processors and other third-party vendors must receive PCI validation for their solution, with P2PE being considered by many to be the gold standard of point-of-sale (POS) payment encryption. P2PE brings numerous benefits, including cost savings on PCI compliance, reduced technical overhead and fewer questions to answer in the annual self-assessment questionnaire (SAQ).
- End-to-end encryption (E2EE). Solutions that have not achieved PCI validation are typically referred to as end-to-end encryption, or E2EE solutions. These solutions encrypt payment data but they have not been validated by the PCI SSC as adhering to the strict encryption, decryption and payment terminal chain of custody requirements of listed solutions. Encryption that is not validated will typically be included with most gateway and processor setups, whereas P2PE solutions can only be obtained through validated providers.
|Tip: Make sure when you are looking at a new processor or gateway that you ask about their encryption solution, how it works and whether it is PCI-validated. You can learn more about P2PE in the PCI DSS Guide.|
Security solution: tokenization
Much like encryption, the goal of tokenization is to mask data so that it is unrecognizable. So, what’s the difference between tokenization and encryption? Encryption focuses on scrambling data that cannot be unscrambled – or decrypted – without a key. Tokenization focuses on replacing payment or sensitive data with a token that consists of letters, numbers and symbols, and which can then be used to represent any type of payment or sensitive data.
Tokenization is applicable to numerous types of transactions but is most often used for data that needs to be “at rest” or stored. For example, when a consumer agrees to keep their payment card on file with a merchant, the processor or gateway should be storing the card details only as a token (masked) and never “in the clear.”
Encryption and tokenization are considered the 1 – 2 punch in payment security (encryption for payment data in motion and tokenization for payment data at rest).
And like encryption, there are different types of tokenization to adapt to any business use case. Merchants can choose who tokenizes their data, whether their gateway or processor, a third-party token vendor or even Visa, Mastercard and American Express with their network tokenization service. It is also important to understand the tokenization technology, how it works and how it stores sensitive data and the corresponding tokens. There are two primary types of token storage:
- Vaulted tokenization involves a secure database where the sensitive data and corresponding tokens are stored. When it comes time to detokenize data, a lookup of the original information must be performed. But as the database becomes larger, the processing time for detokenization increases, making vaulted tokenization less efficient than its counterpart, vaultless tokenization.
- Vaultless tokenization does not require a database or a token mapping table, rather it uses secure crytptographic devices for data storage. These devices use standard-based algorithms to convert sensitive data into non-sensitive data or to generate tokens. Vaultless tokenization reduces latency and also provides greater security because it does not maintain a database.
Tokenization also extends beyond payment card data to sensitive consumer data. Thanks to regulations like the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR), more companies are turning to tokenization to mask PII and PHI entered into online forms or on websites.
|Tip: Tokenization should always be offered as part of any gateway or processing arrangement. It will be important to understand what kind of tokenization your partner is using and what kind of data you want to tokenize – just payment data or also PII? Learn more about tokenization from TechTarget.|
Payfactory puts security at the forefront
Payfactory’s CEO, Ruston Miles, has been a member of the PCI Security Standards Council Board of Advisors since 2019. He was at the forefront of developing North America’s first PCI-validated point-to-point encryption solution, introduced in 2014, and is a frequent speaker and expert panelist on encryption, tokenization and cybersecurity.
Founding Payfactory in 2021, he knew that payment facilitation would drive the future of payments with a seamless implementation and go-live experience for software platforms and merchants – but that security could not be compromised by increased speed and flexibility.
That’s why he designed Payfactory’s payment facilitation platform to include tokenization, E2EE or P2PE – as well as customer authentication with 3D Secure (3DS) and additional fraud tools – as standard offerings through Payfactory and our partner gateways. Learn more about our platform or contact us to set up a consultation.