Merchant Services: The Role of Encryption in Credit Card Processing

Encryption, in the broadest sense of the word, is the translation of data into a secret code so that it can be securely transmitted. In credit card processing, it’s one of the most effective ways to keep data secure. Merchant services providers typically supply encryption services (oftentimes referred to as end-to-end encryption, or E2EE) to their clients because the credit card associations require that all account information be encrypted before it is transmitted over an electronic medium like the Internet. 

All merchants who accept credit cards are mandated by the industry to keep their customers’ sensitive data safe, and encryption is one way to do that. E2EE is used to keep the pre-authorization portion of a credit card transaction secure; that is, during the period between when the data is collected at the terminal and when it is authorized by the issuing bank. Security for the back half of the transaction is provided by a different process called tokenization. Together, encryption and tokenization help form a shield of protection against hackers and identity thieves.

Unencrypted data is called plain text. It is not secure and can be read by anyone, so it is vulnerable to theft. Paper files can be stolen, or a hacker with a computer can breach a merchant’s system, retrieve the data and use it for illegal activities like credit card fraud, identity theft and the manufacture of counterfeit cards.

Encryption can be applied to the data, the transmission path it takes along the credit card processing network, or both. By reducing the data’s vulnerability, encryption also reduces a merchant’s risk of suffering a data breach and the financial and reputational damage that accompanies it.

During the encryption process, plain text is transformed into an unreadable form (cipher text), which requires a decryption key to read in its original form. There’s more than one approach to encryption and while merchants can purchase encryption hardware and software, they can also use their merchant services provider’s encryption services.

The PCI DSS (Payment Card Industry Data Security Standards) requires data encryption for card data stored in the merchant environment. By taking advantage of your merchant services provider’s encryption services, you remove this requirement since the provider is now responsible.

Incorporating both encryption and tokenization in your credit card processing exceeds the minimum requirements for PCI compliance, plus it gives you the peace of mind of knowing that you are making the maximum effort to keep yourself and your customers safe from a data breach that could be devastating to both of you.