WIXLIB

verifone.co.ukWhite PaperPayment fraudthreatens retailbusinessP2PE helps you fight backJune 2017

2 Payment fraud threatens retail business, P2PE helps you fight backJune 2017Every day there are new ‘headlines’ relating to data breaches. Globally and locally,criminals are targeting organisations that store or transmit customers’ PersonallyIdentifying Information (PII) and payment data.A staggering 82% of financial institutions now say payment card fraud is the most commonform of fraud1. In 2016, fraud losses on UK-issued cards alone totaled 618.0 million, anincrease of 9% on 20152. That means that card fraud as a proportion of card purchasesnow equates to 8.3p for every 100 spent1.Criminals are targeting retailcheckoutsRetailers are one of the most popular targets forcybercriminals, experiencing nearly three times asmany attacks as elsewhere in the financial services sector3.In fact, loss of personal information from merchants morethan doubled from 2014 to 20164. On top of that, 64% ofretail data disclosure breaches were caused by point ofsale (POS) intrusions5.‘Fraud losses of 618m on UK-issuedcards alone’This cost of fraud is highThe annual bill for UK retail crime soared to 613mlast year. And up to 36% of this was retail cyber-crime6.While some incidents are isolated, many are symptomsof bigger underlying issues. If card fraud occurs, unlessmerchants can prove that they were fully Payment CardIndustry Data Security Standard (PCI DSS) compliant,they can be held liable not just for the cost of the fraudbut other costs too such as the cost of an investigation todetermine how the fraud occurred and remedial costs tobecome compliant. In addition, the introduction of thenew EU General Data Protection Regulation (GDPR) inMay 2018, will usher in non-compliance fines of 20 millionor 4% of turnover (whichever is greater) per breach.Merchants must also bear the often larger cost ofreputational damage and loss of customer confidence,which can linger for years. A recent study showsthat 75% of adults in the UK would stop doingbusiness with an organisation if it was hacked.7

3 Payment fraud threatens retail business, P2PE helps you fight backDespite safeguards, data is stillcompromisedThe depth and breadth of anti-fraud solutions has helpedreduce risk. Today, retail IT professionals feel they aremore prepared for handling breaches than they were twoyears ago. They are increasingly confident in their abilityto discover data breaches, with 90% now claiming theycan detect one within a week, compared to 70% in 20144.‘80% of breaches investigatedare UK based’Despite this, in the past 12 months Foregenix, the globalleaders in data forensics and information security, hasseen their case load multiplying nearly 8 fold from 2013levels. It reveals that 80% of breaches investigated areUK based and 44% involve hospitality, retail or financialJune 2017services. Within these, Foregenix’s team of experts hasidentified the top three attack types as: Targeted Malware;Application Vulnerability Exploits; Structured QueryLanguage (SQL) Injection.As the US rolls out EMV, the subsequent tighteningof security standards has shifted the emphasis forfraudsters. They are responding with ever increasinglysophisticated attack methods. There is now a major skillsmismatch between criminals and retail IT professionals,who are finding it increasingly difficult to keep up witha new generation of hackers with extensive IT skills.‘75% of adults in the UK would stopdoing business with an organisationif it was hacked’

4 Payment fraud threatens retail business, P2PE helps you fight backEven with PCI there are still challengesPCI DSS Compliance helps keep a high proportion oftransactions safe from base level attacks and providesmuch needed accountability for those delivering retailservices. However, it presents a number of challengesfor retailers: Disparate legacy systemsThese often have flat networks resulting in data spreadacross many locations. Financial burdenPCI costs are high, which leaves IT departments withreduced budgets to invest in new technology. Skills baseReliance on best practice to implement, which in turncalls for specific in-house skills/knowledge. Education effortEveryone must be aware of the PCI process from seniormanagement to till operators.June 2017Locking down the payment chainBuilt on a solid reputation of trust and reliability,Foregenix are forerunners in information security;helping to simplify compliance and secure paymentenvironments. Verifone are the global leaders in securepayment services and solutions and also sit on the PCISecurity Standards Council (SSC). Together, they workwith some of the world’s leading retail brands and areresponsible for securing millions of transactions daily.Both agree that, for PCI to be effective, the networkenvironment – as well as devices – needs to be properlysecured in order to lock down retailers’ systems fromhackers and malware. Together they support Point-To-PointEncryption (P2PE) as the most logical route to achievingthis – addressing fraud while creating minimal effort forthe retailer.This is backed by PCI assessor companies, who alsoconfirm that a well-architected, properly deployed PCIP2PE solution can virtually eliminate the current risk ofcredit card data compromise for retail environments andprovide a clear and dramatic reduction of PCI compliancescope which, in turn, reduces the cost of PCI complianceassessment and validation.

5 Payment fraud threatens retail business, P2PE helps you fight backHow PCI P2PE worksPCI P2PE is the ultimate ‘gold standard’ for merchantsecurity. It works by addressing the risk of unauthorisedinterception associated with cardholder data-in-motionduring the transmission from the POS terminal to thepayment processor.It also encourages best practice in terms of managingPIN Entry Device (PED) life cycles and operations. All ofthis helps to prevent criminals from accessing card dataat the point of sale.PCI P2PE protects credit card data as it travels through amerchant’s local network and across the internet before itreaches the payment processing system.Verifone device(Data encryptedat card swipe)Store POSJune 2017With PCI P2PE all card data is encrypted on the securecard reader itself and decrypted in a trusted PCI certifiedgateway. Card data is never decrypted in the merchant’sown systems. This effectively locks down the paymentchain. If a criminal gets into the system, any dataextracted is useless to them without access to therelevant encryption keys.Importantly, PCI P2PE does not have any negative impacton the user experience or journey. There is no change tothe way card payments are accepted – no loss of speed orservice. All the encryption is managed by the terminalinvisible to the cardholder.Merchant serverAcquirer and/orprocessor(Data decryptedat processor)

6 Payment fraud threatens retail business, P2PE helps you fight backJune 2017Merchants who adopt certified P2PE solutions and processescan dramatically reduce their PCI scopeDomain 3Domain 2ApprovedapplicationDomain 1Email inventoryof shipmentSecuremanufactureand key loadingDevices fulfilled intamper evidentpackagingDomain 5MerchantSecure key exchange(including approvedHardware SecurityModule (HSM))Domain 6PCI DSS certifiedpayment gatewayEncryption/DecryptionProvide merchant withimplementation manualP2PE Scope as outlined by PCI RequirementsP2PE cuts fraud & delivers retailadvantageIf PCI P2PE is properly applied, it can eliminate skimmingdevices by more than 95% as terminals are securelydelivered to the stores. It also reduces data compromise riskand liability by more than 80%, as the cardholder data isencrypted thus eliminated from the stores.‘PCI P2PE can eliminate skimmingdevices by more than 95%’PCI P2PE not only reduces fraud but also boostsoperational efficiency by more than 25%, because thepayment solution provider can manage activity remotelyon behalf of the retailer. Implementing a PCI P2PEsolution has shown to reduce cost and complexity ofPCI DSS compliance for merchants by more than 50%.‘Implementing a PCI P2PE solution hasshown to reduce cost and complexityof PCI DSS compliance for merchantsby more than 50%’Many UK retailers are already realising the advantagesof PCI P2PE using Verifone Payment as a Service, anend-to-end solution that makes it easy to manage paymentsand compliance – and to achieve security best practice everystep of the way. Over 200,000 Verifone Secure Reading andExchange of Data (SRED) devices are connected to leadingthird party platforms supporting PCI P2PE.

7 Payment fraud threatens retail business, P2PE helps you fight backJune 2017The benefits of Verifone PCI P2PE Payment SolutionsSignificantrisk efficiencyDoes PCI P2PE impact customertracking and Customer RelationshipManagement (CRM)?PCI P2PE does not impact customer tracking and CRM ifit is used in tandem with tokenisation, which is suppliedas standard on all Verifone PCI P2PE solutions. Softwarebased, tokenisation replaces the cardholder’s PrimaryAccount Number (PAN) with a randomly-generatedproxy alphanumeric number (“token”) that cannot bemathematically reversed. This is used for long-termstorage or as a transaction identifier.Minimisesfraud losses& costsEases PCIcompliancecost & effortFor merchants, it is ideal for recurring payments as thecard number is only on the merchant’s network ‘in flight’during the initial transaction – which can be encryptedand protected using P2PE. Beyond that, the merchant usesthe token that represents the original card, for subsequentpayments or to track customer transactions for marketingpurposes. This allows personalised marketing programmesto be developed and targeted using cardholder purchasehistory data.

8 Payment fraud threatens retail business, P2PE helps you fight backUsing the right toolsOnly PCI PIN Transaction Security (PTS) certified paymentdevices with SRED and OP approvals – such as Verifone’sVX, MX, UX and E-series devices – can be used in anapproved PCI P2PE environment. All payment devices in aPCI P2PE environment must also be handled according tothe P2PE Implementation Manual (PIM) document and betraceable from birth to death of the device.Merchants can only use ‘non P2PE certified devices’ in aP2PE environment if they choose to opt out of PCI P2PE atthe chosen payment location. With PCI P2PE all card datais encrypted on the secure card reader itself and decryptedin a trusted PCI certified gateway. In this case, card data isnever decrypted in the merchant’s own systems.June 2017Using PCI certified P2PE solutions and following the PIMguidelines, merchants’ operations can be taken out ofscope. This means retailers only have to complete a simpleself-assessment form – in the same way that small andmicro merchants do – instead of having to submit theirentire operations to expensive and time consumingPCI audits.This can potentially save large scale retailers millionsin audit fees. This cost saving alone is enough topersuade major retailers to switch to PCI P2PE certifiedsolutions, as they take advantage of an opportunityto cut their expenditure.‘Using PCI certified P2PE solutions canpotentially save large scale retailersmillions in audit fees – enough topersuade major retailers to switchto PCI P2PE certified solutions’