EMV, P2PE, or both?

There is a lot of confusion on how EMV and point-to-point encryption (P2PE) work together and whether one can replace the other, and whether both technologies are necessary. While point-to-point encryption becomes more and more popular and EMV-related liability shift in the US is approaching, more and more questions, regarding both these payment processing aspects, arise.

The purpose of this particular article is to explain the benefits of each option taken separately.

In our previous post on point-to-point encryption we described P2PE as an additional security measure “on top of” EMV standard. However, in some cases, people and companies use point-to-point encryption as an alternative to EMV (which, as we explained here, is much more secure than a magnetic stripe).

Of course, if you want to feel more secure and support different card types, you’re better off incorporating both technologies within your solution.

Usage of EMV without point-to-point encryption is not recommended. Some modern businesses choose not to EMV standard and use P2PE only, in spite of the approaching liability shift deadline.

Let us illustrate the essence of the liability shift with a simple example.

Example

A fraudulent transaction took place, during which EMV card was used. The transaction itself, however, was not an EMV transaction, as the merchant did not support EMV standard (did not have an EMV terminal). Consequently the card had to be swiped, and, as a result, the fraud occurred. According to the current rules, an examination would take place before the liable party is defined. However, after October 15, 2015, the liability would get assigned to the merchant, because it did not have EMV terminals.

As a result, businesses, where payment card fraud risk is higher (such as small convenience stores), prefer to use EMV terminals. On the other hand, businesses, where fraud risk is lower (such as large hotel networks, which verify and retain the copies of all the documents of the cardholder at the time of purchase), may be less “stressed out” by the approaching deadline.
They may choose to implement point-to-point encryption as the primary security measure.

For businesses that already have an existing encrypted swiper based point-to-point solution (and consider fraud a minor threat) investing in the new EMV terminals (and EMV certification) might be a challenge. That is why they choose to invest in liability insurances and stay away EMV for now.

Conclusion

The best option is to use both EMV and P2PE technologies. However, if you already have point-to-point encryption functionality, and, presently, you do not consider fraud your top-priority problem, it is not that critical for you to purchase EMV terminals, go through certification, and try to implement respective solution at all your facilities before the liability shift. So why not just make your shift towards EMV standard more gradual and smooth?

Payment Gateways: Fraud Protection

If this is the first time you are reading our “Selecting a Payment Gateway” mini-series, please, start with the Introduction to improve your understanding of this post.

With the increase of online commerce and wider adoption of electronic forms of payments, an increase in credit card fraud rate is observed (especially, on CNP transactions). Various tools have been introduced into credit card processing software by different companies, in order to reduce the possibility of fraud. They include GeoIP, minFraud and others. Particularly, these tools perform cardholder’s IP address check, verify his e-mail against a look-up table, and determine the buyer’s overall risk score.

When it comes to fraud protection, four most common approaches used at the point of sale are:

  • 3D secure, introduced by associations (during online purchases an additional password associated with a credit card is required in order to confirm the buyer’s identity), often used in combination with
  • AVS (address verification service provided by card associations to verify the billing address on file against the one provided by the buyer);
  • IP-address-based (i.e. geographical location based) segmentation or filtering, provided by third parties;
  • various types of identity verification – name or e-mail of the buyer is verified against various blacklists);

In some cases additional compensating security controls can be used. They are:

  • so-called “processing cap” – certain processing limits are imposed on the merchant. They reduce/limit the number or total amount of transactions processed by the merchant per hour/day/week/month;
  • reserves – certain percentage of money processed is held by the processor/payment gateway for a certain time period to cover potential chargebacks and ACH returns.

Merchant perspective

Fraud protection issue is especially relevant for merchants that are doing online commerce.

Example

Health club owners/managers decided to sell fitness supplements through the web-site. This activity exposes the health club to potential online fraud. In this case the merchant should opt for a payment gateway with built-in fraud protection tools. Using such gateway is likely to result in considerable savings, as the merchant will not lose money on illegitimate orders and chargebacks.

Conclusion

A merchant dealing with a large number of online transactions, as well as a business involved in a high-risk segment, should make a decision in favor of the payment gateway with built-in fraud protection features.

Reseller perspective

The reseller must keep track of all the merchants it is dealing with, and all their transactions, which is a very challenging task. If some fraud does take place, financial responsibility might fall on the reseller, as not all merchants are responsible enough to perform the necessary checks themselves.

Example

A software company decides to add an online store as a software module. The company management realizes that this action may potentially result in various additional fraud-associated issues, inherent in e-commerce business. Consequently, it is necessary for the company (reseller) to have some fraud protection tools in the online store. Cooperation with the payment gateway, already supporting fraud protection features, allows the reseller to save resources and efforts, required for development of these features on its own.

Conclusion

When a reseller is actively involved in an industry segment, where fraud is common and fraud rates are above average, it might be easier for the reseller to partner with some processor, whose payment gateway software has integrated fraud protection tools, instead of building all the respective functionality on its own.

Our next post will cover core reporting requirements for a payment gateway.