Archive for the ‘Payments Industry News’ Category

« Older Entries

EPX Welcomes Third-Party Validations of Tokenization and Payment Processing Outsourcing

Tuesday, July 20th, 2010

Editor’s Note: It’s always encouraging to see EPX competitors follow in our footsteps. Just as competitors are following our lead by touting the benefits of tokenization technology, several competitors are even beginning to issue press releases that mirror ours. I guess imitation is the sincerest form of flattery.

Electronic Payment Exchange (EPX), a full-service payment processing organization, announced today that their organization welcomes the recent third-party validations of cardholder data tokenization and payment processing outsourcing. Newly announced global industry best practices for tokenization from Visa Inc. validate EPX’s long-standing deployment of tokenization technology for securing cardholder data. Additionally, a June 2010 security brief from RSA supports EPX’s approach to tokenized payment processing outsourcing by referencing an EPX client case study that shows how tokenization and payment processing outsourcing reduce merchant costs and other burdens associated with securing cardholder data.

The recent release of Visa’s tokenization best practices provides valuable guidance to merchant organizations seeking to utilize tokenization solutions for securing cardholder data. As the first organization in the payments industry to engineer and deploy tokenization technology, EPX welcomes Visa’s focus on and validation of tokenization solutions.

In version 1.0 of the Visa Best Practices for Tokenization document, Visa establishes best practices related to four critical components of tokenization: token generation, token mapping, card data vault, and cryptographic key management. Visa provides further recommendations regarding tokenization system configuration, implementation, and management, and offers guidance on the management of historical data.

EPX, which has offered merchants tokenization technology since 2001, abides by one hundred percent of the best practices established by Visa and views the best practices as reinforcement of EPX’s approach to tokenization. According to EPX Chief Security Officer Matt Ornce, “Visa is now confirming what we have been saying and practicing for years. Merchants that properly implement a sound tokenization solution are able to limit cardholder data storage in their environments. In turn, this simplifies merchant PCI DSS assessments by reducing the scope of their compliance requirements, associated costs, and implementation. This makes merchants of any size more secure and brings them into compliance easier, faster, and with less expense.”

Further validating EPX’s approach to payment data security, a June 2010 security brief released by RSA provides insight into how tokenization can be combined with payment processing outsourcing to relieve merchants of the burden and potential costs associated with securing cardholder payment data. Using an EPX client who annually processes tens of thousands of ecommerce transactions as an example, RSA pointed out that the merchant organization substantially reduced its PCI compliance burden. The security brief also establishes that, over the next several years, many payment processing organizations will introduce outsourced payment services to manage cardholder data risks on behalf of merchants. The brief provides additional insight by stating that the most effective outsourced payment services will use a combination of tokenization and encryption.

EPX has provided payment card security outsourcing for ten years and was the first payment processor to actually market, sell, and implement a solution that uses both tokenization and encryption for securing card data from the card swipe through the entire transaction lifecycle. By processing through EPX, individual merchants have reduced their initial PCI compliance burden by millions of dollars and continue to realize significant annual savings.

EPX welcomes the third-party validation of payment processing outsourcing and the use of tokenization plus encryption technologies. “It is great to see that leaders in the payments and security industries are recognizing EPX’s accomplishments,” EPX Chief Executive Officer Ray Moyer said.

Tags: , , , , , , , , , , , , , , ,
Posted in EPX Commentary, EPX News, Payments Industry News | No Comments »

Electronic Payment Exchange Enters its Tenth Year of Issuing Tokens for Securing Credit Card and ACH Transaction Data

Wednesday, May 26th, 2010

EPX began Offering Tokenization Solutions in 2001

Electronic Payment Exchange (EPX), a full-service payment processing organization, has entered is tenth year of issuing tokens as a means of securing credit card and ACH transaction data.

In early 2001, EPX engineered and deployed the payment industry’s first tokenization technology, which has protected hundreds of millions of financial transactions and helped merchants eliminate the liabilities associated with storing unprotected payment data. EPX’s proprietary tokenization technology replaces the sensitive payment information with unique IDs, which the payments industry has since come to call “tokens.”

For each transaction processed by EPX, patent-pending EPX BuyerWall™ technology issues a BRIC (BuyerWall Recognized Identification Code) token to the merchant, which is meaningless to would-be thieves. The BRIC allows the merchant to maintain total control of the customer experience and realize all of the capabilities that previously required the storage of cardholder data including refunds, recurring transactions, and historical review.

“As an innovator of tokenization in the payment processing space, we have been helping merchants effectively secure their payment data for nearly a decade,” said EPX Chief Security Officer Matt Ornce. “The industry has recently seen a rash of new entrants to the tokenization space. I applaud their efforts to catch up to our tokenization technology. However, I would caution merchants against using unproven solutions.”

“All tokens are not the same. Some tokenization solutions that have recently come to market don’t provide optimal security, since their tokens can be reverse-engineered to reveal their corresponding card numbers,” explains Ornce. “EPX tokens provide ultimate security because they are not derived from card numbers, and therefore cannot be reverse-engineered into meaningful data.”

Ornce says that another key differentiator between EPX’s tokenization solution and those of competitors is that EPX tokenization technology is “built in, not bolted on” to its payment processing platform. EPX’s payment processing platform was built with tokenization as an inherent component, while other payment processors have modified their legacy systems by adding on tokenization modules.

In addition to using tokenization for protecting credit card data, EPX tokenization technology has also been securing electronic check (ACH) payments since 2001. Contrary to recent claims by competing payment processors who reported that they were the first to offer tokenization of ACH data, EPX stands alone as the first to apply tokenization technology to ACH payments.

EPX has been an innovator and active leader in the payment processing space since 1979, and its nearly 10 years of using tokenization to protect credit card and ACH payments is further evidence of EPX’s commitment to protecting merchants. According to EPX Executive Vice President Charles Crawford, “In the 31 years EPX has been in the payments business, we have made many breakthroughs by simply pursuing what is most effective, what is most efficient, and what serves our merchants best.  We’ve never waited for others to lead the way, nor will we in the future.”

Tags: , , , , , , , ,
Posted in EPX Commentary, EPX News, Payments Industry News | No Comments »

Insightful Case Study Details how Electronic Payment Exchange Saved a Global Firm More Than $3 Million in PCI-Related Costs

Friday, May 21st, 2010

Gartner, Inc., the world’s leading information technology research and advisory company, recently released a case study that describes how a $5 billion global firm saved millions of dollars in Payment Card Industry-related costs and months of internal development time by outsourcing its international card payment operations to Electronic Payment Exchange (EPX).

EPX, a full-service payment processor that provides card data tokenization, enables organizations to comply with just a few questions on the PCI Self-Assessment Questionnaire A, rather than having to comply with the complete set of more than 200 questions required for firms that accept and store credit card data in their systems.

EPX Chief Executive Officer Ray Moyer welcomes the Gartner case study and believes it shows EPX’s dedication to assisting merchants in achieving PCI compliance. “While some organizations are busy generating hype for newly invented, unproven tokenization solutions, EPX has been busy actually implementing our tokenization solutions,” said Moyer. “2010 marks the tenth year that EPX has been issuing tokens for every transaction response. Our proven approach, coupled with our EPX BuyerWall platform, enables us to help merchants reach their PCI compliance requirements faster, with greater security, and with less merchant expense.”

The complete research note written April 9, 2010 by Avivah Litan, “Case Study: NCR Saves Substantial PCI Project Costs by Using Outsourcing and Tokenization,” is available for download from www.epx.com.

Tags: , , , , , , , , , , ,
Posted in EPX News, Payments Industry News | No Comments »

How Credit Card Number Tokenization can Reduce PCI Compliance Stress … and Data Protections Costs

Monday, March 15th, 2010

View the eye-opening presentation from EPX Chief Security Officer Matt Ornce that discusses the key criteria to be considered when evaluating cardholder data replacement solutions as an alternative to full encryption.

Part 1

Part 2

Part 3

Tags: , , , , , , ,
Posted in EPX Commentary, EPX News, Payments Industry News | No Comments »

EPX is a pioneer in the payments industry

Wednesday, January 20th, 2010

Founded in 1979, Electronic Payment Exchange (EPX) is a pioneer in the payments industry. EPX commercialized many of the innovations that became industry standards.

EPX was the first payment processing organization to:

  • process credit card transactions using the Internet
  • develop a surety product that transferred merchant processing risk to the reinsurance market
  • implement CID, the fraud detection innovation
  • deploy an online merchant reporting system
  • provide online chargeback adjudication
  • provide a unique identifier back with each transaction as a reference for subsequent transactions
  • provide a hosted POS solution accepting swipe and PIN debit
  • deliver end-to-end card swipe encryption for its POS solutions

EPX is truly unique in the payments industry – it provides a straight-through, fully integrated payment processing platform, whereas its competitors offer a patchwork of limited-service providers that merchants must manage and integrate separately. EPX provides traditional, as well as Internet-related products and services, to businesses, public utilities, merchants, retailers, e-tailers, merchant acquiring banks, Independent Sales Organizations (ISOs), and third-party processors in the United States, Canada, Europe, the Middle East, Latin America and the Caribbean.

Realizing the increased focused on PCI-compliance, EPX is revolutionizing the payments industry through the development of fully integrated payment solutions that enable merchants to efficiently, securely, and cost-effectively process credit card, debit card, stored value, and ACH payments. By incorporating our patent-pending BuyerWall™ technology into our solutions, we lead the way in helping merchants achieve PCI compliance.

EPX solutions include:

  • EPX Secure Payment Processing – Decreases risk exposure, enhances data security, lowers costs, provides custom reporting, strengthens process reliability, and reduces potential points of failure.
  • EPX WebSuite – Web-based reporting, data analysis, exception transactions, chargebacks.
  • EPX Virtual Terminal – Provides the basic functionality of a point-of-sale terminal and offers modes for processing point-of-sale, mail order / telephone order, and ecommerce transactions.
  • EPX vPost – EPX vPost is a standalone product that emulates all the functionality of a high-volume point-of-sale terminal through a web browser, and is flexible enough to be used for point-of-sale swipe, PIN debit, mail order / telephone order, and ecommerce transactions.
  • EPX PayPage – Enables ecommerce merchants to outsource online payment acceptance and PCI compliance requirements by replacing their web sites’ payment pages with customized pages from EPX.

Posted in EPX Commentary, EPX News, Payments Industry News | No Comments »

More Merchants Taking Advantage of “Pin-Less” Debit Transactions to Lower Transaction Costs

Wednesday, December 30th, 2009

Increasing numbers of merchants now are allowed to process bank-issued debit cards online or over the phone without PIN validation. Those merchants qualified to accept PIN-less debit payment can take advantage of all-in costs, which can be far below the expense of a credit card or a debit card transaction processed through the credit card networks.

Electronic Payment Exchange (EPX) is one of a very few payment processors technically set-up and certified to submit “PIN-less” debit transactions directly to the three electronic funds transaction (EFT) networks that currently waive PIN validation for certain card-not-present transactions:  STAR, Pulse and NYCE.

In a PIN-less debit transaction, a customer supplies his/her bank ATM card information to make a web or phone payment to an eligible merchant. The debit is linked to the customer’s bank account, but normally includes a Visa or MasterCard logo. Before the transaction, the cardholder is given the choice of using the card as a “signature debit” transaction, or a PIN-less debit payment. If it is a signature debit transaction, the transaction is processed through the Visa and MasterCard networks without PIN entry, just like an online credit card transaction except that the funds are deducted directly from the cardholder’s depository account, not billed to the customer by the bank. If the customer chooses to make a PIN-less debit transaction, the transaction is routed by EPX directly to the EFT network with which the card issuing bank has a processing agreement. As with any ATM or debit transaction, PIN-less card transactions result in funds deducted in near real-time from the cardholder’s posted bank account balance.

Since there is greater inherent risk of loss from a transaction without PIN validation, the EFT networks limit the privilege of PIN-less debit transaction processing to a range of merchants within authorized industry sub-sectors. The transactions from permitted sectors are assumed to be safer because these businesses commonly take payments from known customers for routine billings.

The list of permitted industry sectors varies by EFT network. At a minimum, the list includes:

  • Utilities (electric power, natural gas, telephone, cable, cellular, satellite, etc.)
  • Government agency payments (taxes, fees, fines and penalties, etc.)
  • Education providers (tuition payments)
  • Insurance providers (property, casualty, health and life)
  • Closed-end loan payments (mortgage and motor vehicle)
  • Rent/lease payments

STAR and NYCE allow a somewhat broader range of merchant types to submit PIN-less debit transactions than does the Pulse network. The list of allowed merchant types is expanding steadily as the EFT networks gain experience from PIN-less transactions.

Each EFT network has a distinct schedule of fees and policies for PIN-less debit transactions. The fee calculations are a bit complicated because they can vary by the specific SIC code, whether the merchant is in an “emerging” market, and because of the differences in pricing strategies among the networks. The greatest comparative advantage over credit card rates comes when a customer chooses to make payment with a STAR- or NYCE-affiliated debit card and the billing amount is higher than $100.00 (as often is the case for utilities, insurance companies, property manager and other favored business segments).

For comparison, consider a $200.00 online or phone credit card or “signature debit” transaction versus a PIN-less debit payment. Processed as a credit card, the merchant’s rate for a non-face-to-face transaction might typically be 2.10% or more of the face amount, plus $0.20 per transaction. The total cost to the merchant would therefore be $4.40. If the PIN-debit were accepted by the STAR network, the highest fees would be 14.5 cents for the transaction plus 0.65% on the dollar amount – but the total is capped at $1.00 in percentage fees. Therefore, the total cost of that PIN-less debit transaction would be $1.45 – a savings of about two-thirds over a credit card or signature debit transaction in this scenario.

The savings realized from PIN-less debit quite case-specific to the network, merchant type and transaction size. For instance, if the transaction were run on the NYCE network, the cost would be fairly comparable to STAR for that size of transaction. However, if the card happened to be Pulse-affiliated, the overall fees would compare more closely to the cost of credit card or signature debit processing. In 2009, Pulse (owned by Discover) removed its ceiling on the percentage rate charged for PIN-less debit transactions, and the percentage fee is about a third greater than STAR or NYCE.

The network to which each transaction is routed is determined by the bank that issued the debit card. Each debit card issuer has a processing agreement in place with one or another EFT network. Most issuing banks are affiliated with one of the big three independent networks (STAR, Pulse or NYCE). If the card tendered is not one of their own, these EFT networks route transactions to the correct network.

PIN-less debit transactions differ from credit card, signature debit, or ACH transactions in several other ways, including:

  • EFT rules require that the customer with a  branded debit card be given the choice of processing their debit card as a PIN-less transaction or a “signature debit;”
  • PIN-less transactions post against the customer’s depository account in near-real-time through the EFT networks, whereas an ACH payment may take 2 or more days to post.
  • Authorization codes are not always received for PIN-less transactions, but such codes – unlike with credit card transactions – are not required for funding of the PIN-less debit transactions.
  • Account solvency is immediately determinable. However, merchants assume the risk of non-sufficient funds (“NSF”), stop payment, or fraudulent transactions — just as would be the case if they processed a check or ACH transaction.
  • It is unnecessary to request a capture of the transaction since the transaction is authorized by, and the funds moved by, the EFT networks
  • For a credit card transaction, you can typically process an authorization reversal. This is not the case with a PIN-less debit transaction
  • There is no credit feature for PIN-less debit. Refunds are possible only by issuing the customer cash, check, store credit or other forms of reimbursement
  • PIN-less cards do not a accrue rewards benefits as often

Some PIN-less debit can provide significant cost savings and other advantages for authorized merchants, if those merchants have the sophistication and discipline to proactively encourage consumers to pay with EFT debit cards that offer the greatest marginal transaction savings.

Merchants can learn more about PIN-less debit transaction from EPX by contacting sales@epx.com or an EPX account manager.

– Charles Crawford, EPX EVP for Strategic Development

Tags: , , , , , , , , , , , , , , , ,
Posted in EPX Commentary, Payments Industry News | 1 Comment »

« Older Entries