Subscribe to our podcast via:
 |  |
The following is a transcript of the podcast episode with Ruston Miles of Bluefin Payment Systems and Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com. During the episode, they cover topics such as:
- What Is the Difference Between PCI-Certified and Non-Certified Encryption?
- How Point-to-point Encryption Fits Into Various Industries
- Why It Is Important for Small Business to Adopt P2P Encryption
- What Are Some of the Security Regulation Differences Between the US and Europe
- How Important Will Security Education Be
- Mobile Point-To-Point Encryption
What Is the Difference Between PCI-Certified and Non-Certified Encryption?
Ruston Miles of Bluefin Payment Systems
I get that question a lot. For purposes of my definition, folks might hear “PCI-certified,” they might “PCI-approved,” and they might hear “PCI-validated” point-to-point encryption. These terms all refer to the same thing. This has to do with the fact that the PCI Security Standards Council has created the standard for encryption, particularly device-based encryption. That standard has been around for quite a few years now. Certified encryption is encryption that has met or exceeded the level of protection of all the different points; it could be more than 1,000 requirements by the time you add in the required baseline DSS — that’s the underlying environment – and then all the controls that have to do with the encryption itself. Over 1,000 requirements. So these are the ones that have met that standard for encryption.
What are some of the differences when we look at anything that’s non-certified? It basically means that no one has looked at it. There’s no independent third party, no auditor, no assessor, no other company that has reviewed, “Does this encryption product meet some sort of minimum viable product or baseline of standards such that when a company is considering looking at that encryption product, they can have some level of confidence to know that the vendor claims and the salesperson gymnastics that are surrounding the marketing of that encryption product are actually something that they can rely on, they can believe. This thing gives them criteria against which to compare against other encryption products in the market. Now, some folks just look at a big name processor or provider and say, “Okay. Well, they’re big enough. I can trust what they provide.” The question to ask themselves is, “Well then, why hasn’t that vendor gone through and gotten that product audited if it’s all that great?” Oftentimes I can tell you the vendors have tried and the products have fallen short, but there are some definite differences as to the value proposition that come out of that.
I’ll get just a little bit of technical and we’ll talk a bit of value proposition. The technical difference between certified and uncertified, the ones that we constantly see out there in the marketplace are (1) that the devices — the credit card terminal or machine that’s accepting the transaction — most of the time do not have a technology called SRED or secure reading, an exchange of data, and they do not have tamper awareness with a lifetime battery. These are really important. What this means is that when you unplug the device from power, it stays alive. It stays self-aware for a lifetime. So you can imagine you unplug this device. You put it in the back closet of your business, and it sits there for six years. Somebody at that time steals it, goes away, tries to break it open and put software or hardware in it and sneak it back into your closet or put it back onto your countertop and somehow start to compromise data. Well, if the device is part of the P2PE Program with PCI, that device will have recognized that, even though it has no power provided to it externally, it will have erased its keys, and the next time it’s plugged in, it will go ahead and phone home and say, “We need to quarantine this device and notify all those involved that there’s been some sort of security compromise on the device.” This is a really important sort of holistic thing that even goes outside of the encryption. A lot of the requirements in fact with PCI’s program actually do go outside Of the encryption. Encryption is the easiest part of a point-to-point encryption program because it’s the math and etcetera that surrounds that and that’s all well known.
The more important part is the protection of the keys and the protection of the device. If you had the world’s strongest safe with the thickest walls and the hardest combination or lock to crack open, but you had the key sitting on a chair right next to it, it wouldn’t matter how strong that safe is. The bad guy would just take the key and open the safe. It’s the same thing with point-to-point encryption. It doesn’t matter how great your encryption is: If the keys are compromised, then the bad guys can just unlock anything that you’ve encrypted, and we’ve seen that — not going to call anyone out, but in the latter part of 2018 we have seen that. And even going back into 2017, we have seen that some of the major breaches actually did employ encryption, but it wasn’t PCI-certified encryption, and the bad guys were able to get to the keys. Or in some cases certain parts of the program were where the bad guys were able to get into the devices and change the hardware and just change the settings to deconfigure or unconfigure the encryption settings that were in there.
That’s some of the technical differences. When we go over to the value proposition differences, one of the main reasons why we’ve seen literally hundreds and thousands of merchants getting into this PCI-certified encryption or making it an absolute requirement of their RFP, the request for proposal, we see that all the time where it says, “Is it validated and if it’s not validated, when will it be validated? Any of the people who respond to this RFP must be certified. One of the main reasons is twofold. Number one is compliance. And then also simplification of their programs and security.
So I’d say from a compliance perspective what we see is that if you’re a merchant that is doing a report on compliance, what we call a ROC, from the PCI or SAQ, which is the self-assessment questionnaire, you can take as many as 300 of the security controls, also known as requirements, out of the equation as many have if you implement this kind of technology. So that’s a 90% reduction of the moving parts of your compliance program, which massively simplifies your program, allows you to focus on other parts of the program and make it much more manageable. And of course any time that happens, it’s going to make it less costly in terms of human costs and also real costs for things like that. It’s a massive night-and-day difference, up to 90% reduction. So that’s driving a lot of the demand.
But then also on the security side, folks are wanting to implement encryption that they can count on. If you look back over the last couple years, as I said, there have been breaches and compromises where encryption was in place but it wasn’t PCI certified. And so that is driving a lot of merchants to say, “Gosh, we’ve got to have some sort of confidence in the technology that is supposed to be securing us.”
How Point-to-point Encryption Fits Into Various Industries
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
Any time that we talk about security or encryption, my mind goes to that common phrase that a chain is only as strong as its weakest link. I think you put out some really great points there. Now if I could I’d like to go to a certain section of what you were talking about, the point-to-point encryption. Could you break down a little bit more for us how to point-to-point encryption fits into various industries?
Ruston Miles of Bluefin Payment Systems
Sure and I want to be clear for the audience here that point-to-point encryption is just what PCI Security Standards Council’s calls its version of certified end-to-end encryption. Some folks, especially the technical and the networking community, get “point-to-point encryption” confused with peer-to-peer encryption or some sorts of encryption that have to do with the tunnels etc., point-to-point tunneling protocols between two different routers and firewalls and those sorts of things. But that’s not what this is. This is standard point-to-point encryption is what PCI its certified end-to-end encryption.
So really, end-to-end encryption has been here for quite some time. When I founded a Bluefin back in 2002, it wasn’t a couple of years before we were actually implementing end-to-end encryption in various industries. So it has been around for a real long time. What has not been around for a real long time is any sort of standard surrounding that: How should you do it? What are the best practices? What are the requirements? What things should you not do? Should keys live in databases? Or should keys only live in HSNs and hardware modules where bad guys can’t get into them? And so it’s been around for a while, and it’s been used in lots of industries. It fits into every industry that one can think of. The only channel that it’s not as relevant for is e-commerce because one of the things that end-to-end encryption or PCI’s point-to-point encryption presupposes is that for the merchants themselves, the retailer, it’s their device. They’re the owners of the device which the transactions that are being keyed, swiped, dipped, or typed into it etcetera or tapped into. With e-commerce, or as they call it, remote commerce, it’s the consumer’s own keyboard at home that is entering the card data. So, point-to-point encryption at this time is not relevant for that particular channel, but all other channels, meaning any other retail, including NFC for tap or contactless, all these different ways, point-to-point encryption exists and is in use.
How does it fit? I’d say there are obvious use cases. When we look at a retailer and understand that when that card is slid through the magnetic stripe reader, there’s encryption going on in that magnetic head. If it’s an EMV chip card right there at the ICCR, the integrated chip card reader, where it’s touching in there; it’s being encrypted in hardware right there. And some folks who might say, “Well, why do we need encryption for EMV?” might be surprised to know, but if we pulled out an EMV reader and we dipped a card into it and I showed you a scope what came out of the other end of the wire that goes into the workstation or over your network, it’s not encrypted and the full 16-digit card number is in clear text for all to see. That surprises a lot of folk because they think that somehow the chip is supposed to be encrypting something there. But in fact that’s not why the chip is there. The chip is there to say that that plastic card is not counterfeit. That’s all it does. So very much so encryption is important, point-to-point encryption is important in conjunction with the EMV to provide data security on the EMV data that’s passing through. When we go over into tap, which we see a lot maybe in transit especially. I was over in London speaking at the PCI Security Standards Council community meeting a couple months ago, and there’s a lot of tap going on to the turnstiles for Transport for London and other places like this. So that’s certainly it. So all the different industries can come across that, but I’d say the one that is interesting.
I’d say in new, that represents greenfield, if you will, for a lot of folks, any of your listeners who are in the industry of selling payment products is card-not-present. Folks often say, “Oh. Well, point-to-point encryption does not handle card-not-present, Ruston, and you just said the keyboard and whatnot can’t be protected.” But if it’s a merchant’s own environment, let’s say a contact center, a call center, a back office where someone’s keying in data through a PC workstation or lab or laptop or Apple or whatever into some sort of application. Gosh! There can be all sorts of bad things like keyloggers, malware, RAM scrapers, shared memory attacks, all sorts of things that can happen to grab the data as you key in this card data into the applications that these businesses use. Well what’s come on over the last four or five years and, believe me, we are placing thousands and thousands of these every month, is encrypted key pads. There’s a USB key pad that looks like an accountant’s 10-key, something you might buy at Office Depot or Office Max. However, when you’re keying into that, it’s encrypting the data and then wherever your cursor is instead of putting the card number, it puts abc123, or what we in the business call ciphertext. So in this way, point-to-point encryption can be used at call centers and back offices in order to protect card-not-present environment like that. So we see that as a definitely a growing area. And in fact, we see very large organizations sometimes implementing that first because it may be more costly to replace devices that are already in the field and being used and that impact operations and so they’ll go and fix the back office in the context. And believe me some of these folks have thousands of contact center agents working phones or working the mail. And so that’s certainly an area where it might not be readily understood.
And then finally what we’re seeing is for example for airlines. There are certain ways that folks use cards that have nothing to do with payments. Maybe you’re sliding your card in order to check in. So it provides some sort of identity. Well that needs to be encrypted too. What we’re seeing is any time a card is touched or the information on a card is used by a business, there is a use case and also there is an answer for encryption and specifically point-to-point encryption.
Why It Is Important for Small Business to Adopt P2P Encryption
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
I think it’s extremely interesting. When we’re talking about security, I always wonder: How would a fraudster think about this, and how would they attack this? So my next question takes a look at P2P encryption. Is it that the mindset of fraudsters particularly is, “I’m lazy, so I want the biggest bang for my buck, and so I’m going to go after large institutions.” But maybe, as you said, those larger institutions have implemented more of these security measures because they have the resources to be able to do it. So why are fraudsters thinking in sense of volume and going after the larger players? Why would it then be particularly important for small businesses to adopt the P2P encryption?
Ruston Miles of Bluefin Payment Systems
Great question, and I’m going to answer in two parts. Right now, we only think as an industry.Aand you’re absolutely right: If you look at the statistics, as an industry, as a payments industry, we only think that the bad guys only care about and are going after the large businesses. But actually those are only the ones that we know about. Remember, hackers don’t come and check in and say, “Hey guys, we’re going after only this.” We only find that out because it’s those big, giant breaches that make the news that can be found because a lot of bad things happen all at once. In fact, hackers are in the business of getting caught. So anytime we see learn that so-and-so company, a huge company, was just breached, that means the hacker did something wrong.
The attack vector and the whole approach to hacking and breaches has changed over the last decade. It used to be they wanted to go crack into some big business to get a giant database of cards. Now that just happened recently with a large hotelier, but that kind of thing is not the norm. The1,600–1,700 breaches that happened last year were not all instances of companies losing giant databases of cards. What’s been happening since the very first Target breach if you go back to 2013, has been this whole move toward malware. What that means is the bad guys get this malware into systems by using a variety of things like spear phishing, phishing, and other sorts of hacks. They get this malware in there, and it silently sits there and listens transaction by transaction by transaction, getting this data and then sending it out of the system. So that’s the way that the hackers have been doing all these breaches, these thousands of breaches, every year. And so what happens is that finally somehow enough of that gets put into a pile somewhere that they finally get caught.
But what’s really happening on top of that — that is really just the tip of the iceberg. When you look at statistics, you’ve got to look at the sample, asking what’s our group that we’re basing these statistics on? Small merchants often are left out of those discussions because their breaches go unreported and widely unknown. If a hacker gets malware into a small business and they’re able to steal a hundred cards this month, who’s going to know about that? The small merchant doesn’t have a security professional monitoring the network to say, “I found data exfiltratiing the system.” They’re not big enough for any large bank or card brand to say, “We’ve done a common point of purchase here, where we’re all these millions of cards have been going on to the dark web and these all have been cross refrenced and we’ve figured out it’s ABC large corporation or retailer.” That’s not going to happen for a small merchant. So that’s why these hackers do in fact like small merchants. What they do is they don’t typically go in and just target a single small merchant. To your point, they take the lazy but highly effective approach to hack the application that a small business might be using and then say, “Okay, give me the 10,000 small merchants out there that using XYZ version of this particular application because they haven’t updated to the new security patch or whatever it is and then we’ll automate a hack that goes out that gets into the system. And then the hacker wakes up in the morning, they’re sitting there eating their cereal, the hacker is, and says “Okay. Here’s all the different credit cards to come in from all these businesses all over the world.” And then they go and sell them on the dark web. So the threat is real there.
It’s important now getting small businesses to take that seriously and understand that that is a risk. Oftentimes a small business thinks that the greatest risk that they face is going out of business for not selling enough hot dogs and hamburgers. They might not feel that their largest risk is a breach. And their brand might not be a world presence where they might feel that a breach would impact them or that anybody would know and not come by and buy another sandwich from them. So the threat is real, but the perceived threat might not be as much. But I want to talk about it from a compliance perspective because this is where, along with Dan from Coalfire, I put together a panel from both the U.S. and Europe at the PCI Community meeting, and one of the things that we could talk about was small business compliance. When we look at the PCI Security Standards, there’s 335 of them that businesses have to manage 365 days a year. We know that these small businesses are not security professionals. So they might not even be qualified to answer some of these questions. And certainly if they do, they may answer them wrong. Or they may not answer them at all. However, they bear the compliance burden with point-to-point encryption, all of those 300 or more requirements go out the window for them and for their small environment. To be clear: As many as 300 requirements cannot be relevant for their environments if they use point-to-point encryption.
So what this does is it is simplifies their compliance program to a level that they can actually access it, attain it, and be compliant with it. And so we’re seeing a lot of processors start to think this way and say, “Look, there’s the do-it-yourself approach. There’s the , “Hey, go figure out, Home Depot, go figure out how to build your own thing.” Or there’s the don’t do it yourself approach, the “Hey, buy this product or solution, small merchants, and if you buy this then you don’t have to do that.” And we have seen some providers starting to say, we’re not even going to let small merchants make that decision. We’re just going to require that they use a certified, validated version of our solution if they if they want to be in compliance at all because what small margin is going to get it right? Even if a small merchant, a very small one, does buy that firewall and configure it correctly on day 1, what about day 3,000, 9 or 10 years into the situation? Or even a year: What about day 300? Are they really keeping up with everything that they need to do to secure all of the particular parts of their environment? So to wrap it up, the whole do-it-yourself approach for small businesses, we’re learning of course over the last decade, it’s not working out for them. And so we’re starting to see folks just say, “Look. Don’t do it yourself. Buy a solution that takes care of this for you.”
What Are Some of the Security Regulation Differences Between the US and Europe
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
A surprise to no one here is that there are major differences between the payment security rules, regulations, and the way that the U.S. and Europe essentially view security in general here. So I was wondering if you could take a deeper dive into what some of those differences are between the U.S. and Europe.
Ruston Miles of Bluefin Payment Systems
Sure. We’ve all heard about GDPR, the EU’s General Data Protection Regulation one way or the other. This is the privacy regulation. Of course, anything that deals with privacy should necessarily be impacted by security because the lack of security creates a privacy issue when that data is compromised.
So it’s going to have an overall effect, and I feel the effect is going to be to move forward technologies. Of course. I am a big evangelist for this, but technologies like encryption and point-to-point encryption, because there’s two approaches to security: You can defend the data. That’s sort of the 335 security controls where you’re trying to do all these things to play cat-and-mouse and keep the bad guys out. And then when they get in, you lose and they win. So that’s the “Defend the data” approach. Or there’s the “Devalue the data” approach, which says, “Look. Let’s go ahead and encrypt, or tokenize, or both, all this data so if the hacker does get in while the breach may have happened, they can’t compromise the data. A big difference, key difference is a breach happens, but data compromise doesn’t happen. This is major difference, especially, as it pertains to privacy regulations like GDPR. Are these other things because what we’re saying here is “No, there was no privacy breach here. Excuse me, privacy compromise.” So big difference and the big impact.
We’re seeing encryption happening in Europe. Europe actually was ahead of North America in terms of point-to-point encryption. Back in 2014, Bluefin was the first certified provider in North America, but there were three others prior to us across Europe. One of the things I really like that’s going on in Europe and has for the last few years that’s really helped us with our business development efforts is that Visa actually requires for any mPOS (mobile point-of-sale) device and new implementations that they have to be PCI certified. They’re required to be. And so that’s the big difference. There’s no option there. Big or small, if you’re going to offer this, and we all know that that’s where the market is going. Retailers everywhere, all over the world, are moving and extending their reach to merchants with line busting or even just putting mobile point-of-sale devices at the checkout. But all these different ways — think about in airplanes, and think about car rental situations where folks go out to your car. So this is an important new growth and they are saying mPOS has to be PCI certified because it’s virtually impossible or very difficult to secure and keep up with security on mPOS environments.
So I do like that requirement for certain areas of risk. I would hope to see something like that here in the U.S. at some point, but there are some of the differences in payment security. I’d say that the Europeans are ahead of us in terms. Of course as we all know with the EMV chip for counterfeit card prevention, we all know that they were there several years before the liability shift happened over here. And also in Europe, it wasn’t a liability shift. It was a mandate they had to implement EMV. So what that also did was that it meant that all those devices that accepted cards had to be upgraded. And they were all upgraded to newer versions that did support point-to-point encryption, which means that these providers didn’t have to go out and buy new devices in order to enable the point-to-point encryption. Same thing has happened here. The liability shift has caused many merchants to upgrade their credit card devices that they receive credit cards on and many of those, maybe most of those, are capable of performing this point-to-point encryption. In many cases the merchant just doesn’t know to turn it on and I think that’s where education, awareness, and business development comes into play.
How Important Will Security Education Be
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
I’m glad that you brought up the word “education.” Before we wrap things up here, when you take a look at payment security in the next 5–10 years, what do you think is next and do you think that education is going to play an extremely important role in that?
Ruston Miles of Bluefin Payment Systems
As I pointed out a couple times, I’ve just come back from the PCI Council meetings. We are not going to see a major revision change this year to point-to-point encryption and in even the changes that will be coming in the coming year are not going to be changes to the technology. It’s going to be changes to the program to streamline and make the program even easier to access. But the technology is state-of-the-art security, so the problem we have right now is not trying to find better ways to secure it. It’s actually getting the technology’s point-to-point encryption to be used more by merchants. And so that awareness, education, maybe compliance, program reductions, different ways, different benefits and carrots in order to have merchants participate in that. And at some point I would imagine there will be some sticks driving merchants.
I think the next big thing in security will be how can we put a program around contactless? Everybody’s got a lot chip cards. I’m sure everyone’s sitting on at least one or maybe two or having them in their purse right now. So I think that what we’re going to see is that in a lot of the cards that we have right now, the chips do not have the contactless feature in the card and we are going to see major banks start issuing, probably in 2019 and definitely into 2020, cards that have those. Merchants are going to be enabling the contactless feature. How do we secure that? The Council is going to be coming out with standards around contactless, a security standard around that. So I think is where we’ll see the next big shift.
As I said, point-to-point encryption already can assist with contactless by an NFC, or Near Field Communication, radio inside these devices that receives that tap when you tap the card against it. And that can already be encrypted today. What we’re going to start seeing, though, is standards around contactless as that becomes the preferred mode of interaction and of course it will speed up that data card data interaction between merchants and consumers.
Mobile Point-To-Point Encryption
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
That brings up then one more question. You were you talking about contactless, and I know particularly in the U.S., mobile payments adoption has been a little sluggish but it is slowly starting to pick up here. But what about mobile point-to-point encryption?
Ruston Miles of Bluefin Payment Systems
It’s already a requirement for mPOS in Europe. When we say mPOS, the distinction is that this is a merchant’s device that they’re holding that is receiving the payment in some way. When we talk about Apple Pay, that’s a consumer-held device. We’re going to start to see that point-to-point encryption already provides benefit around that, but for some merchants point to point-to-point encryption is not a requirement right now. It’s definitely something that we see merchants using in order to remove 300 of the requirements for PCI compliance. But it’s not you must do this. Only for mPOS and only in Europe is it is an absolute requirement that you must do it. So the contactless standard will come out and will delineate the things that you have to do then in the U.S. if you don’t use point-to-point encryption. I think this provides yet another carrot for folks to say, “Well, we don’t want to have to do all those things. So let’s go ahead and just encrypt the stuff, which is what we should have done in the first place.” That’s my prediction. The standard has not come along yet and it’s something that I know my company Bluefin, we are what’s called a participating organization with the PCI Council and so we are involved along with many, many other companies, hundreds of other companies in creating and editing a version of and providing input on these standards for showing “This is what’s happening on the front lines for us. Here’s what would make this easier. Here’s what make this more secure. So providing that input it’s something that I encourage any of your listeners to participate in.
Subscribe to our podcast via:
| |
