Who’s Ready For EMV & P2PE?

With the October deadline quickly approaching, many companies are researching how they might deploy EMV. The card brands have set October as the month where breach liability will shift from the brands to the merchant if the merchant doesn’t have at least 75% of their readers capable of reading an EMV card. This means the merchant would have a hybrid reader that accepts EMV as well as traditional mag stripe. Mag stripe cards will certainly take a few years to be fully replaced so these readers will continue to process multiple card types.

While EMV has been deployed in other countries for many years, most US payment processors aren’t prepared for what the card brands have asked for. When a merchant begins to analyze the cost to purchase new card readers and what risks are mitigated by EMV technology, you may take a step back. EMV will certainly reduce card present fraud, but without other technologies such as P2PE, malware could still harvest the numbers from point of sale devices.

So, as you begin or continue the conversations you are having with your favorite card reader vendors, ask them if they have a solution that is compatible with your point of sale software and offers both EMV and end-to-end encryption (not P2PE). If a hardware vendor encrypts the card number at the swipe or upon entering your EMV PIN, who has the keys to decrypt that? Typically, the hardware vendor encrypts the number at their gateway and then passes that number over regular SSL to your payment processor in the clear. Thus, this is P2P and not E2E encryption.

This issue has been discussed for years (note this post from PCI Guru in 2009 –https://pciguru.wordpress.com/2009/05/16/is-%E2%80%9Cend-to-end-encryption%E2%80%9D-realistic-part-2/).

Another interesting callout as noted in the above blog is if you use MPLS for communication between your retail outlets. With MPLS, you are unable to reroute your encrypted traffic if it is already being tunneled. So, your provider would have to be able to encrypt only the card number and not the entire packet.

All-in-all, while I have noticed many stores recently converted to new EMV capable readers (such as Target, Costco and Home Depot), I don’t believe this is going to reduce the number of security incidents. Adding in end-to-end encryption however should be a game changer once the infrastructure and the vendors are able to support it.