Why do you need P2PE? We sat down with store automation expert, MBS Systems Sales Manager Chris Bovi to discuss the ins and outs of MBS Systems security features and how they affect your store, your customers and your campus.
This is Part 1 of our discussion.
What is P2PE?
Point-to-point encryption means that as soon as you present the payment to the PIN pad, that PIN pad encrypts the data and sends that information out to the retailer’s processor. No one can see the data “in the clear,” or in an unencrypted state, until it’s decrypted by the processor.
Why did MBS Systems adopt P2PE?
As a solutions provider, moving to a point-to-point encryption environment has allowed us to keep credit card data from ever touching the MBS system, ever being stored by the MBS system, ever being accessible to anybody in an unencrypted format.
How does that affect a retailer’s Self-Assessment Questionnaire (SAQ)?
It can shrink the amount of PCI [Payment Card Industry] compliance tasks you need to do. Before we adopted P2PE, most of our customers were required to complete a SAQ C, which is pretty involved. They had to complete it in conjunction with their IT department and with MBS.
Now, our customers can do an SAQ P2PE. It’s a brand-new questionnaire specific to folks in a point-to-point environment. The questionnaire is significantly shorter than the SAQ C. I think it’s less than 20 questions.
How does P2PE affect liability?
If I don’t see, store or have access to the credit card data, that eliminates my liability for that data. It’s not on my system, so it can’t be stolen. One of my employees can’t take it and use it for some nefarious purpose. I can’t mistakenly share that information or expose it — it’s not there. So, it greatly reduces the liability stemming from handling credit cards.
Do all vendors offer P2PE?
There are vendors that don’t yet offer this option. There are vendors that may offer this option but do so either through a third party or with a company that’s not compatible with their current credit card relationship.
How does the MBS System ensure credit card compatibility?
We partnered with a company called Vantiv, which provides the point-to-point encryptions and all the payment options. They work together. So, whether I’m paying with my digital wallet (NFC), or paying with a chip card (EMV), or whether I’m doing a traditional swipe, all those transactions are immediately encrypted and moved out via their payment gateway to one of five processors that Vantiv is already certified with.
How much processing does that cover?
Those five companies probably represent 85% to 90% of the processing that occurs in the United States. So, chances are we work with the processor your campus is already working with. Therefore, there is no conflict or disruption with your existing credit card / banking relationship.
That might not always be the case with other vendors.
What is tokenization?
Tokenization was the first step in better protecting credit card data. We have been doing tokenization for many years for both security and customer service. We partnered with Paymetric for that.
When a payment is presented, that payment goes out to a processor to be authorized. When tokenization is employed, that credit card info also goes out to Paymetric where it is securely stored, and Paymetric sends back a token.
The token is what is stored on the system, and can then be used for customer service purposes — like refunding onto a card that isn’t present. Let’s say a student returns something bought on Mom and Dad’s card and Mom and Dad have taken back the card, so the student doesn’t have it. We can still refund the card without it being there.
We also use those tokens to process charges for rental books that aren’t returned. So, if a student rents a book, we secure their credit card by creating a token for it and associating it to the rental(s). Then if the book doesn’t come back, we can use the token to process a charge back to the student’s card for whatever fees or penalties are applicable.
Does P2PE work with tokenization?
When we moved to the point-point solution with Vantiv, the Paymetric tokenization solution moved right along with it. The two work in harmony with one another. So, our customers that were using tokenization still do, but now have this added benefit.