The payments ecosystem in retail is constantly evolving, and it can be hard to understand the difference between available technologies—why does it matter what device I swipe a card in? Why should I care about chip versus swipe? Updating hardware is expensive, so do I really need to make a switch?
As technology improves for payment terminals, so does its ability to protect your store, employees, and customers. Understanding the level of encryption that takes place within each kind of device will help you understand the value it can provide to everyone involved in the sale. The primary encryption types for these technologies are:
- Unencrypted (MSR swipe/wedge devices)
- Static Encryption (Swipe reader on an EMV terminal)
- Dynamic Encryption (Chip card reader)
To understand the value in each of these devices, imagine that all of your payment processing systems went down and everyone resorted to pen and paper to provide their credit card info.
If you were using…
You write your full credit card number, expiry date, and name onto a piece of paper and hand it to the sales associate who enters the data into the system.
If anyone sees that paper, they have all of your card information and could use it over and over again for new sales.
Old Magnetic-Stripe Readers (commonly referred to as MSR readers or wedges) are unencrypted. If the card data is intercepted, it can be replayed over and over again for new purchases.
Do Unencrypted Transactions protect the cardholder from having their data stolen? No
Do Unencrypted Transactions protect the merchant from stolen cards being used? No
Static Encryption Technology
You don’t want your data captured so easily, so you make a code that says:
A = 1, B = 2, % = 3, @=4and so on.
You pass the sales associate two pieces of information. One is the codebook and one is your card number, but it looks like:
D%AH@AACD*HH—a big string of letters and characters.
The associate can decipher the data and process the transaction but a stranger glancing at the sheet isn’t going to get any useful information from it without having access to the codebook. Only if someone were able to make even a copy of the codebook, they would be able to make a new purchase with it because the associate wouldn’t know it was a duplicate codebook.
The magstripe on your credit or debit card uses Static Encryption. When used in an EMV-capable payment terminal, it is very difficult to obtain the card data because of the encryption. However, if someone managed to copy the card data, the payment terminal wouldn’t know the difference between the original and the recording.
Does Static Encryption protect the cardholder from having their data stolen? Yes
Does Static Encryption protect the merchant from stolen cards being used? No
The codebook that you hand the associate for this kind of encryption will be pretty big because dynamic encryption means the data is constantly changing.
Instead of “A = 1” it looks something like:
For the first transaction, A = 1
After that, A = A + 1
For the first transaction, B = 5
After that, B = B + 5
You pass the associate two pieces of information. The (giant!) book, and the paper with your card data on it. For the first transaction, that paper might look like:
DPSD…and so on.
The associate can decipher the data and process the transaction, but a stranger glancing at the sheet isn’t going to get any useful information from it.
But what happens if someone gets makes a copy of the sheet? With this encryption, the copy is useless because the data changes after every transaction. Trying to make a purchase using the data from the first transaction will never work.
EMV Chip transactions have several dynamic data elements. This means that not only does the overall information change, but also that different parts of the information change differently too.
Does Dynamic Encryption protect the cardholder from having their data stolen? Yes
Does Dynamic Encryption protect the merchant from stolen cards being used? Yes
So, why should you be using EMV payment terminals?
An Unencrypted Reader exposes both the cardholder and the merchant to credit card fraud.
Swipe transactions in an encrypted reader protect cardholders from having their data stolen, and an EMV Chip Card reader protects both the merchant and the cardholder.
Adding to the puzzle that is encryption, the type of technology used during the transaction is also considered for chargeback situations. EMV Chip terminals send an indicator that says “I’m Chip capable!” in every transaction–even swipe. This provides merchants fraud protection even if the card only supports swipe because a higher level of encryption is supported by the terminal processing the transaction.
Want to learn more about encryption and compliance? Check out out blog on how end-to-end encryption can simplify the compliance process.