What Restaurants Need to Know About Encryption

The payment card industry is about to get tough on breaches, but not for the hackers. In October of 2015, much of the burden of responsibility is going to be pushed onto stores for credit card fraud if their systems aren’t upgraded to technology capable of encrypting card transactions. Here’s a Cliff’s Notes version of what technologies are becoming available (and soon to be mandatory) for merchants.


"Hacking is on the rise"

End-to-End Encryption (E2E)

In a nutshell, E2E encryption is the encryption of communications between two endpoints, such as a card reader installed at a restaurant Point of Sale and a merchant processor. This type of encryption is accomplished by using what is called a Derived Unique Key Per Transaction (DUKPT) key. That’s a mouthful, but it basically means that the key used to encrypt a single transaction is tossed out directly afterwards, so no two swipes of the same card will ever look alike.

Why It’s Important:

The restaurant industry processes billions of dollars in credit & debit card transactions. Hacking is on the rise. Smash the two together and you get a scenario where unprepared merchants become easy targets. Encrypting card data is the best way to begin putting up a wall between you and expensive recovery. Like dad always said, an ounce of prevention is worth a pound of cure.

Point-to-Point Encryption (P2PE)

Point-to-Point Encryption is a tighter circle of E2E. The big difference is the control measures used to ensure that card data is secure at all times, removing the third parties view of the process.

P2PE devices (like a magstripe reader) are injected with the proprietary encryption blend native to each merchant processor. The device speaks directly to the merchant processor without ever exposing the unencrypted card data to any other system. Devices provided by merchant processing companies even have a high level of security to prevent tampering. Companies installing P2PE devices have to undergo certification as well.

Why It’s Important:

Encrypting data in this way mitigates damages and avoids unnecessary risks for restaurants. If a restaurant is hacked in some way, payment card information isn’t located on any of their systems. While attackers may be able to exploit other vulnerabilities (such as open WiFi or such), you don’t have to worry that your customer’s are going to be put at risk – or your brand.

Near Field Communication (NFC)

Ever heard of RFID? Near Field Communication (NFC) is a subset of that. The difference is that when an NFC chip enters a radio field – in NFC’s case, a very small one up to about 4 inches – it can communicate back instead of just emitting a radio “tag.” In payments systems, NFC chips send a token for payment processing via radio communication. This token is generated by a third party such as Apple Pay, Google Wallet or Samsung Pay.

This obviously only works if your device is capable of reading NFC, and you have to have a merchant processor that accepts payments from these third party apps.

Why It’s Important:

Apple is pushing hard for Apple Pay support, and everyone else is following suit. Improved versions of past failures are relaunching with much higher success and adoption from merchants, proof again that Apple has everyone wrapped around their finger. These services promise greater security for users, and in the current climate, appear as an attractive way to avoid personal credit card calamities.

Europay, Mastercard and Visa Chip & PIN

EMV is the standard for card manufacturing in Europe beginning to become more prevalent in the US. What it does is generate a unique code for each transaction instead of forking over the card numbers. What this means is that the card has to be physically present to make in-store purchases, and cards are next to impossible to forge.

The difference between Chip and PIN cards (used in Europe) and Chip and Signature cards is the difference in authorization methods and who accepts either. With signature cards, the signature is used as the authorization for card use, which appears to depend on the individual processing the card to check. This is obviously not a problem with PIN cards, as punching in your four digits is required.

Why It’s Important:

In October of 2015, credit card companies are shifting liability for fraud occurring through signature-based transactions over to retailers if they haven’t adopted Chip and PIN technology. That means that if your location isn’t compliant and a breach occurs, you’re paying the damages.

What You Can Do:

NEXTEP solutions are all NFC and EMV ready, and both E2E & P2PE card readers are available from multiple merchant processing vendors. While dealing with a breach is bad enough, dealing with one that you could have prevented it is worse. Times have changed, and the responsibility for keeping guest’s data secure is now becoming the responsibility of merchants as well. If your current solutions aren’t helping you protect yourself and your guests, maybe it’s time to invest in an ounce of prevention with someone else.


Have concerns? Don't.

Contact NEXTEP and we will guide you through how to keep your transactions safe and secure 

All, NewsLiah Luther