Financial institutions in particular will need to revise their entire infrastructure and operations. A Credit Union Times article reported in August that only 2% of credit unions have completed their switch to EMV or begun the process. As institutions make the move toward EMV migration, becoming familiar with fundamental security terms and devices will help ensure effective transition and proper storing of client high-value assets.

Transitioning to EMV Means Securing Your Payment Data

Typically, payment data flows from the customer in the swipe of the payment card, via the merchant’s point-of-sale terminal, to the acquirer and then onward to the issuer or card association for payment authorization. With EMV, payment data can be stored directly in the chip of the payment card, instead of the unsecure magnetic stripe, thus effectively preventing counterfeiting of cards.

EMV solves one important part of the problem, by providing proof-of-procession (of the card, since counterfeiting becomes difficult and cost prohibitive to the attackers). With EMV, dipping the EMV card (instead of swiping it) allows for the chip card to generate a one-time code called unique to the current transaction. Still, whether data is at-rest or in-transit, it needs to be secure at all times.

While the EMV chip specifications do not help us here, the EMV tokenization specifications will. Data at-rest is data recorded on storage media and is only considered secure if the data is protected through strong encryption. Securing data in-transit is equally important – to ensure against liability around losing cardholder data the merchant will want to make sure that data is protected from the moment it is received on the POS terminal: In-transit data is classified as secure when both parties (or data endpoints) are capable of maintaining a data transfer channel that is identified, authenticated, authorized, and private—meaning no backdoor can be deployed to intercept communication between the two parties.

Read more: Managing cryptographic keys ...

Managing Cryptographic Keys to Avoid Third-party Breaches

When an EMV chip is embedded in a card, it helps ensure that the card being used is real and that it in fact belongs to the person using it, thereby drastically reducing the risk of stolen or counterfeit cards. On the back-end, safekeeping payment data means encrypting and decrypting data with the use of cryptographic keys. How to safely manage cryptographic keys is therefore a critical element of EMV.

Key management involves creating, deleting, storing and distributing keys. For EMV, a number of requirements must be met when managing keys, some for physical security and others for procedural aspects.

The primary security device for key management is a dedicated Hardware Security Module. An HSM is a small computer encapsulated within a tamper-evident coating. It can either be a stand-alone box or an embeddable electronics board. The rule is that a key must only be in clear form inside an HSM. Outside the HSM, it must either be in encrypted form, with the encryption taking place inside the HSM, or be split into several independent components.

Pros and Cons of Outsourcing Key Management

There are several processes related to key management, including the generation, exchange, storage, use, and replacement of keys. For smaller financial institutions, these processes are typically managed by third party service providers such as payment processors. For larger financial institutions, it is more common to manage keys in-house. How an issuer chooses to manage the process, whether through internal or external processes, or through a combination of both is really a matter of preference and cost.

Critical to understand in the face of EMV is that the issuer is responsible for ownership of the keys, and that a suitable key management strategy must be in place. There might be security policies in place to ensure that sensitive keys are only managed in-house, or there might be a long history of successful outsourcing due to limited internal knowledge about the card issuing and acquiring procedure, or perhaps the procedure is centralized through a banking organization, and so on. It is now up the responsibility of banks and credit unions to find the most productive and cost-efficient way to manage their migration.

By October 1, 2015, when the EMV liability shift occurs in the U.S., Visa and MasterCard plan to issue more that 550 million chip and pin cards in the United States. Before then, credit unions need to have an infrastructure in place to handle the new cards and to better protect themselves from data breaches.

Johannes Lintzen is vice president of sales and business development at the German-based infrastructure security firm Utimaco.