EPX

In May, EPX issued a press release entitled “Electronic Payment Exchange Enters its Tenth Year of Issuing Tokens for Securing Credit Card and ACH Transaction.” The fact that EPX pioneered such a novel and important technology for protecting merchants and cardholders from the risk of data compromise was not unusual.  Our company was founded in 1979 as the first independent processor of electronic checks for merchants. Since then, we’ve been consistently bringing important innovations to market.   But giving merchants and consumers the protections of  credit card data “tokenization” in early 2001 was all-the-more impressive when seen in the context of the Times.

Back then, cardholder data security was not exactly the front-of the-forehead issue that it is today.  There had not been a notable card data breach in the 35 years since revolving credit cards had been used. The first relatively large and publicized incident came just after the Y2K ball dropped in Times Square in January 2000. Online retailer CD Universe exposed 300,000 customer card records.  (Of course nowadays a breach exposing a mere 300,000 records would be considered a lucky break.) Since that first major incident, ever more damaging breaches have occurred like clockwork. Two were of Guinness proportions: retailer TJX in 2007 and processor Heartland Payments in 2009, both of which reportedly exposed more than 90 million card numbers.

When EPX started tokenizing data, Visa had just begun to formulate the first generation of data security standards.  At first, Visa’s compliance targeted only e-commerce payment gateway operators, not merchants. MasterCard did not initially see the need for standards, so offered data security consulting services. The launching of the Payment Card Industry Security Standards Council was still five years away.

So, understandably, EPX’s breakthrough came with no public fan-fare and unknowable future significance. Our engineers simply were looking for a way to make transaction lifecycles and follow-on transactions more efficient, and our merchant customers more secure.  Being engineers, they didn’t call what they created ‘tokens.”  They called the codes card data “GUIDs” and “Replacement Values.” (Surprising, isn’t it, such a sexy name didn’t catch on?)  The generic catch-word for such codes, “tokens” did not come into vogue until 2005 when Las Vegas payment gateway operator and software licensor, Shift4, Inc. coined the term.  (Shift4’s process of code generation within the merchant’s environment, and their data flow is significantly different from EPX’s off-premises approach, but more or less aims at the same purpose.)

As EPX gained practical experience, naturally we kept evolving and perfecting our technology to make it more effective, practical and efficient.  As breaches kept hitting the headlines, we kept hearing loud and clear from merchants, particularly CTOs, that they would be delighted if they never had possession of the vulnerable cardholder data in the first place. And, they truly loathed having to spend so much time and IT budgets system major (non-ROI) system remediations to comply with new PCI Data Security standards.  With this guidance from the market, along came another set of EPX breakthroughs in 2005.  We invented a number of methods for at-risk card data to be securely captured and stored only by EPX and never routed to the merchant. Ever. We filed for a patent for the sophisticated processes that are now at the heart of EPX’s BuyerWall™ security suite.

As the number and scale of data breaches increased over the years and PCI compliance became mandatory and urgent, the IT Establishment naturally first turned to the familiar techniques they had been taught in schools and had been using for decades: encryption, firewalls and other data “hardening” techniques. Several front-end only gateway operators had been offering forms of tokenization.  There also were several companies providing software-as-service (SaaS) outsourced tokenization and still others selling do-it-yourself in situ tokenization hardware and software to merchants.  Yet, tokenization remained mostly marginalized as an emerging technology …and too-good-to-be-true… by Conventional Wisdom.

Then, a funny thing happened along the way to achieving cardholder security Nirvana:  Heartland.  Heartland Payments and others quickly became iconic in proving that Encryption Does Not Necessarily Equal Security.  Since Heartland, hard-pressed CTOs and cash-strapped CFOs have been gradually opening their minds and wallets to alternative security approaches like tokenization.

Yet, oddly, EPX stood alone for all these years as the ONLY full authorization / capture /clearing / settlement processor providing tokenization.   The giant end-to-end processors like Global Payments, TSYS, Elevon, Fifth Third, and First Data Corporation stayed on the sidelines, leaving it to their merchants to solve the card data security problem on their own. Finally, in 2009 Fifth Third Bank (which has its own in-house front and back-end processing) and then First Data (the world’s largest processor) respectively launched their versions tokenization. JPMorgan Chase’s Paymentech merchant acquiring company is not a self-contained end-to-end processor, but in the past few months has been sporadically promoting its Orbital gateway as having tokenization capabilities…although they appear to be using bolted-on functionality provided by a third-party vendor.

Tokenization is not only a solution for credit cards, but also for other forms of payment.  A few weeks ago, ProPay, a well-respected Salt Lake City-based payment ecommerce gateway company, made a nationwide announcement that it can now can encrypt and then tokenize electronic check routing and account holder data that is used in ACH transactions.  Likewise, on May 19^th, Sarasota, NY-based ACH Payments, Inc. said it now will tokenize checking account numbers used in its ACH processing.  ProPay’s COO was quoted as saying: “ProPay is leading the industry and applying the same technology for protecting payment card information to the protection of ACH data…”  We at EPX appreciate the executive’s exuberance; however, the “leading the industry” part was a bit over-stated considering that EPX started tokenizing ACH transaction data as well – more than nine years ago.

EPX always knew that what we innovated in 2001 would not suffice as the complete answer to data protection. Tokenization, for sure, is elegant and powerful…and is especially cost-effective for complex enterprises with lots of locations and transactions. It mitigates the vast majority of cardholder data risk – substituting codes for card numbers stored or “in motion.”  In the case e-commerce transactions, the vulnerable data can be directly captured, encrypted and tokenized from the moment a customer or clerk keys in the data.

However, things are a little more complicated for retail POS “swipe” transactions. The card data can be potentially vulnerable for what I call the “first inch” – i.e., the momentary transit between the magnetic stripe to the point the data reaches the POS terminal or the payment module within a POS retail management systems’ software.  Although only briefly exposed, the can be skimmed or otherwise criminally compromised.  Also, such exposed card data at the front end-point of a transaction remains ‘in scope’ and subject to more cumbersome PCI Data Security Standards reporting.

We at EPX knew this was a problem to be eventually solved.  We watched with particular interest last October as First Data Corporation and RSA (the security division of EMC Corp.) announced their solution: instant encryption as the data is captured by a POS terminal, then tokenization of the data once it is captured by First Data’s processing platform. They call their product (still being field tested) “TransArmor.”

We applaud First Data’s adoption of encryption+tokenization and expect the technology to be a game-changer in the industry due to the huge number of merchants FDC supports.  And we welcomed the recent announcement by TransFirst’s Payment Processing International subsidiary (an ISO with a gateway) of offering encryption+tokenization capability.   However, true-to-form, all this big news is déjà vu for EPX.   In July 2009, EPX already had become the first processor in the world to introduce just such a solution –encryption of data all the way from the mag stripe to EPX’s firewall, then tokenization of the data once it entered our processing environment.  EPX’s encryption + tokenization is functionally consistent with what First Data/RSA and PPI later announced.  EPX uses an encrypting swipe device to capture the vulnerable data.  We hold the only decryption key to the swiped data in our secure processing environment (i.e., neither the merchant nor any other party ever has access to the decryption key).  We and our merchants use EPX BRICs (tokens) exclusively as transaction reference codes for all operational reference purchases thereafter.

These days there are an increasing number of companies offering what might be broadly called “tokenization.”  The differences between approaches can be hard to discern.  The most important differentiator, however, is in the fundamental integrity of the token creation protocols.   From the beginning, EPX engineers had the foresight to not take the obvious short-cut of simply creating the token algorithms from credit card numbers and banking account numbers.  EPX codes, instead, are based upon the unique and very specific characteristics of each specific transaction and its place in time, among other characteristics.  In retrospect, as criminal rings have become so much more skilled at reverse-engineering financial account numbers, we now know how much more secure is the EPX approach than others.  If the card number, or checking account number is not in the merchants systems – or the source of the tokens – the data cannot be stolen and deciphered.  In other words, it has no “street value.”

In the 31 years EPX has been in payments business we have made many breakthroughs by simply pursuing what is most effective, what is most efficient and what serves our merchants best.  We never have waited for others to lead the way, nor will we in the future.

Posted by Charles S. Crawford
Executive Vice President
Strategic DevelopmentElectronic Payment Exchange