2014 may well go down as the year that consumers and businesses began to take credit card security seriously. It started when Target announced early that year that a data breach had affected 40 million debit and credit card holders who used their cards at Target during the 2013 Holiday Shopping season. Many people began to take notice, and I, too was affected. My credit card company contacted me and soon sent me a new credit card. The Target breach was followed soon thereafter by a report from Michaels, the nation’s largest arts and crafts chain, which said that as many as 2.6 million credit card holders may have been affected by a breach at the end of 2013 and early 2014. Later on that year, Home Depot, the world’s largest home improvement chain reported that a data breach there affected 56 million credit cards.
Data beaches are costly to the companies affected. Earlier this year, Target announced that it had incurred some $162 million in costs in 2013 and 2014 related to the breach. But the biggest threat of data breaches is to small businesses. It is estimated that 71% of data breaches target small business, and 96% of data breaches target payment card data. And the most eye opening statistic: 60% of small businesses close within 6 months of experiencing a data breach. This is due to fines and penalties, lost sales, and increased costs from credit card processors as a result of the breach.
But there is something you can do to help prevent the loss of cardholder data in the event of a breach. Point to Point Encryption (P2PE) is a new technology that is now available through some credit card processors. Here’s how it works: A P2PE certified card reading device (signature pad, for example) is required on the POS system at the pharmacy location. The customer swipes their credit card on the device which immediately encrypts the credit card information, creating indecipherable codes which are sent to the payment processor for decryption. The processor then accepts (or rejects) the transaction, and the pharmacy POS system is notified of the result. This whole process takes less than one second. This hardware based encryption, offers a much higher level of security than software based encryption. Most importantly, encrypting cardholder data at the swipe and throughout the transaction renders the data useless to thieves. Cardholder data is never exposed past the point of the swipe, significantly reducing the risk to your customer’s credit card information.
Another innovative feature that goes hand in hand with P2PE is tokenization, which allows a customer’s credit card information to be safely stored by the POS system. Tokens can be created at the POS Till for a customer by the clerk simply by choosing the option to create one, and swiping the credit card. The POS system creates a token (a random series of characters that replaces the card number) which is stored in the patient’s record in the POS system. Thereafter, the clerk can select an available token for that customer at the Till, and the customer does not have to present their credit card. The benefit here is that the pharmacy point-of-sale solution never sees the true credit card number, but can still charge the customer’s credit card without it being present. This is a great solution for delivery customers, or elderly patients that send a family member into the pharmacy for prescription pickup.
In summary, P2PE and tokenization are good solutions for any pharmacy that is not only looking for a more secure way to protect their customer’s credit, but also for a way to reduce the scope of PCI Compliance.