Beyond EMV: Why Cloud-Based Payments Security is Key

Talk of the EMV (or EuroPay, MasterCard and Visa) liability shift on 1 October 2015 is dominating payments security news. While there’s no denying the importance of security when accepting payments, and though upgrading point-of-sale terminals to accept these new chip cards is a good first step, it’s perhaps more important to consider a broader, more complete approach to payments security.

Cloud-based payments security is critical for any business planning to make the switch to EMV. These features offer among the highest level of transaction security, reduce the risk of data breach, and further protect consumers from fraud. Most of these features place the onus on the payment processor and card issuer to protect customer card data by ensuring the information never touches a business’ own servers. When coupled with EMV, these solutions can offer protection from end-to-end in any environment, long after 1 October has come and gone.


Tokenization uses a random, unique code to represent a credit card number, mitigating the risk associated with the exposure of the actual credit card number. At the simplest level, if a credit card number was 1234, it could be tokenized as ABCD during the transaction. For a fraudster who may get his hands on that information, ABCD has zero value and is rendered meaningless. For the payment processor who created the token, ABCD references a real card number housed on its server.

Through tokenization, rather than exchange credit card numbers merchants and payment processors can pass tokens, thereby minimizing visibility into a payment account number. While breaches may still occur, hackers who infiltrate a token system will find the information virtually useless.


A vault is used to establish a system of recurring payments. With a vaulting mechanism, customers entering their credit card information store it on a site to be used in the next transaction. Vaulting is key for online transactions where an EMV card does not pass through a secure card reader and a business cannot validate cardholder information in person.

Vaulting also makes a business more secure because they’re no longer tasked with the burden of securing and storing customer data themselves. That responsibility is left to the payment processor.

P2P Encryption

Point-to-point encryption, or P2PE, reads the information on the magnetic stripe (or chip in the case of EMV) on a credit card and transmits encrypted versions of that data to the payment provider for processing and approval. P2PE ensures the most sensitive customer information is encrypted almost immediately after the moment it’s captured. With P2PE the payment processor is the only party with the capability to decrypt the data, which it does to perform an authorization before re-encrypting the information and sending it back to the POS to complete a transaction.

"Pre-authorization on fraud checks is critical in the grand scheme of payments security"

Data encrypted from the point of swipe to the point of the payment processor guarantees minimal exposure of plain text information. This protects businesses and customers’ card numbers from a variety of potentially devastating attacks.

Pre-authorized Fraud Checks

Today’s more advanced payment processors can facilitate automated pre-authorization on fraud checks. Through a sophisticated combination of behavioral profiling – such as the location and quantity of a purchase – and multi-currency factoring, the process can facilitate real-time payment authorization. This substantially minimizes the chance of unnecessary voids and transaction reversals.

Pre-authorization on fraud checks is critical in the grand scheme of payments security. If the processor can minimize fraud occurring through them, they won’t have to charge to recover from losses. In the long term this benefits the processor and the business from a cost perspective.

EMV is going to play a critical role in establishing a new global standard for payments security. The reality is, however, that businesses should be looking beyond EMV. Fraud always shifts to the weakest point of entry and while our credit cards will be more secure, EMV will not be enough to protect a business from end to end. When mapping out an EMV strategy, consider how cloud-based solutions can offer the highest level of security without the added burden of going it alone. 

About the Author

Chester Ritchie is SVP of Worldpay US, a leading global payments technology and services company that offers services across the entire payments value chain and in any environment: in-store, online and via mobile devices

What’s Hot on Infosecurity Magazine?