Encrypted Payments, Explained
In 2017 there were 1,579 data breaches in the United States alone (Statista).
Breaches have become all the more damaging in recent years as more and more facets of our lives are stored digitally...
The adoption of EMV as a payment standard was certainly a buzzy affair, but generally speaking, EMV as a security measure has its limits. The technology ensures that counterfeit credit cards are not accepted - an important issue especially to those businesses whose average transaction size is high. But the standard does not do much in the way of protecting restaurants.
As a restaurant owner or operator, the last thing you'd want is to compromise your customers' data. The traditional unencrypted magnetic stripe readers (MSRs) that were ubiquitous in recent memory have proven to be especially vulnerable to security breaches. Many major restaurant breaches that have made the headlines in the past few years have been a result of unencrypted payment processing.
So, how do you keep your brand in the papers only for good reasons? Encrypting your payments is a good - and critical - first step.
What it means...
Encryption is the process of encoding payment data so that only authorized parties (with the right encryption key) can view it.
How it works...
Let's say a customer swipes their credit card on your self-order kiosk. Your encrypted payment device encrypts the data as the card is being swiped, using a unique key that is injected into the device at the time of manufacture or configuration. As soon as a card swipes past the head built into the device, the data is encrypted. A properly configured, secure payment application transmits this encrypted data off to the payment processor or gateway for decryption and processing. If things are done correctly, this data cannot be decrypted anywhere in between.
Stay away from conventional, non-encrypting magnetic stripe readers. The way these readers handle plain text credit card data is the juiciest of low hanging fruit to hackers and thieves. Storage of unencrypted payment card data increases your restaurants' risk and liability exponentially in the event of a breach.
E2EE vs P2PE
End-to-End-Encryption (E2EE) and Point-to-Point-Encryption (P2PE) are both methods of sending payment information in an encrypted form from the point of capture to the point of processing.
With an E2EE system, the data is encrypted immediately and then sent straight to processing. With a P2PE system, the data is encrypted immediately, and then sent to a gateway where it is decrypted and sent through an encrypted tunnel to the processor.
why it's important...
Payment processing companies make arguments about one method being superior to the other, but when it comes down to it, P2PE and E2EE are both sound, secure methods of encrypting payments. The difference between the two matters most when it comes to their practical consequences.
how it affects you...
If you choose P2PE, you'll have to buy the device directly from the processor. That means when you run into an issue with the device, you'll have to work with their support team rather than the support team you usually work with at your POS company. Alternatively, you can buy an E2EE device from your POS provider and reap the benefits of having only one support team to call on.
On the other hand, if you choose E2EE you'll have less flexibility when it comes to choosing payment processing. With P2PE, you can have one provider encrypt the data from the device to the gateway, and another from the gateway on.
Benefits Beyond Security
Beyond the benefits of better security, encrypted payment processing often allows you to offer mobile payments like Apple Pay and Google Pay to your guests. Implementing encrypted payments may also simplify compliance under PCI regulations.