Security Hardware's the Best Bet to Protect Post-EMV Data

The United States is one the last developed countries to migrate to an EMV-based payments infrastructure, with a card network-imposed liability shift going into effect on October 1.

Meanwhile, cybercriminals have become more sophisticated, frequently accessing sensitive payment information. While chip and PIN enabled cards help secure against counterfeit and fraudulent use, security controls still need to be put in place to protect cardholders’ confidential information all the way through the transaction process – including securing data-in-transit.

The strongest option to provide this security is hardware that can generate and store the secure cryptographic signatures that are required for authorizing communication commands between the point-of-sale terminal, the store and the bank.

Encrypting data is the first step in protecting critical business and consumer data. The second step is to create and store the cryptographic key that unlocks that data.

Hardening security means creating a secure key via true random number generation, which relies on the anomalies in physics instead of the constraints of zeros and ones found in code. The random seed number is derived from electrical noise, quantum mechanics, ambient noise, and other “quirks in nature” that occur in a truly random manner.

Storing a cryptographic key is just as important as creating it. Software solutions store keys in main memory which means the system administrator, and anyone else with server access, has access to and the capability to create an extra key to access the data.

Compared to software solutions, hardware security modules offer strong security even in the most hostile environments. The module can detect when any attack is happening, in the form of drilling, heat, power blackout or chemical attack, and automatically delete the keys immediately.

And hardware's easy to deploy. For example, one merchant, Axfood—Scandinavia's largest food retailer—was able to able to successfully alter its infrastructure and complete the deployment of hardware-based security in six months, despite its multiple brands and store locations.

By the time the U.S. migrates to an EMV-based payments infrastructure, Visa and MasterCard alone will have issued more than 550 million chip and PIN cards.

Though this is a step in the right direction in terms of security, EMV standards will not eradicate the problem of fraud. EMV takes care of card counterfeiting by eliminating the theft-prone magnetic strip, but in order to secure consumer data both at rest in the card, and in transit through the payment process, merchants will need to consider means of safely locking and unlocking encrypted payment data.

Malte Pollmann is CEO of Utimaco.