Posts Tagged ‘debit card processing’

EPX Welcomes Third-Party Validations of Tokenization and Payment Processing Outsourcing

Tuesday, July 20th, 2010

Editor’s Note: It’s always encouraging to see EPX competitors follow in our footsteps. Just as competitors are following our lead by touting the benefits of tokenization technology, several competitors are even beginning to issue press releases that mirror ours. I guess imitation is the sincerest form of flattery.

Electronic Payment Exchange (EPX), a full-service payment processing organization, announced today that their organization welcomes the recent third-party validations of cardholder data tokenization and payment processing outsourcing. Newly announced global industry best practices for tokenization from Visa Inc. validate EPX’s long-standing deployment of tokenization technology for securing cardholder data. Additionally, a June 2010 security brief from RSA supports EPX’s approach to tokenized payment processing outsourcing by referencing an EPX client case study that shows how tokenization and payment processing outsourcing reduce merchant costs and other burdens associated with securing cardholder data.

The recent release of Visa’s tokenization best practices provides valuable guidance to merchant organizations seeking to utilize tokenization solutions for securing cardholder data. As the first organization in the payments industry to engineer and deploy tokenization technology, EPX welcomes Visa’s focus on and validation of tokenization solutions.

In version 1.0 of the Visa Best Practices for Tokenization document, Visa establishes best practices related to four critical components of tokenization: token generation, token mapping, card data vault, and cryptographic key management. Visa provides further recommendations regarding tokenization system configuration, implementation, and management, and offers guidance on the management of historical data.

EPX, which has offered merchants tokenization technology since 2001, abides by one hundred percent of the best practices established by Visa and views the best practices as reinforcement of EPX’s approach to tokenization. According to EPX Chief Security Officer Matt Ornce, “Visa is now confirming what we have been saying and practicing for years. Merchants that properly implement a sound tokenization solution are able to limit cardholder data storage in their environments. In turn, this simplifies merchant PCI DSS assessments by reducing the scope of their compliance requirements, associated costs, and implementation. This makes merchants of any size more secure and brings them into compliance easier, faster, and with less expense.”

Further validating EPX’s approach to payment data security, a June 2010 security brief released by RSA provides insight into how tokenization can be combined with payment processing outsourcing to relieve merchants of the burden and potential costs associated with securing cardholder payment data. Using an EPX client who annually processes tens of thousands of ecommerce transactions as an example, RSA pointed out that the merchant organization substantially reduced its PCI compliance burden. The security brief also establishes that, over the next several years, many payment processing organizations will introduce outsourced payment services to manage cardholder data risks on behalf of merchants. The brief provides additional insight by stating that the most effective outsourced payment services will use a combination of tokenization and encryption.

EPX has provided payment card security outsourcing for ten years and was the first payment processor to actually market, sell, and implement a solution that uses both tokenization and encryption for securing card data from the card swipe through the entire transaction lifecycle. By processing through EPX, individual merchants have reduced their initial PCI compliance burden by millions of dollars and continue to realize significant annual savings.

EPX welcomes the third-party validation of payment processing outsourcing and the use of tokenization plus encryption technologies. “It is great to see that leaders in the payments and security industries are recognizing EPX’s accomplishments,” EPX Chief Executive Officer Ray Moyer said.

Tags: , , , , , , , , , , , , , , ,
Posted in EPX Commentary, EPX News, Payments Industry News | No Comments »

The Tokenization Bandwagon Is Music to Our Ears

Wednesday, June 23rd, 2010

In May, EPX issued a press release entitled “Electronic Payment Exchange Enters its Tenth Year of Issuing Tokens for Securing Credit Card and ACH Transaction.” The fact that EPX pioneered such a novel and important technology for protecting merchants and cardholders from the risk of data compromise was not unusual.  Our company was founded in 1979 as the first independent processor of electronic checks for merchants. Since then, we’ve been consistently bringing important innovations to market.   But giving merchants and consumers the protections of  credit card data “tokenization” in early 2001 was all-the-more impressive when seen in the context of the Times.

Back then, cardholder data security was not exactly the front-of the-forehead issue that it is today.  There had not been a notable card data breach in the 35 years since revolving credit cards had been used. The first relatively large and publicized incident came just after the Y2K ball dropped in Times Square in January 2000. Online retailer CD Universe exposed 300,000 customer card records.  (Of course nowadays a breach exposing a mere 300,000 records would be considered a lucky break.) Since that first major incident, ever more damaging breaches have occurred like clockwork. Two were of Guinness proportions: retailer TJX in 2007 and processor Heartland Payments in 2009, both of which reportedly exposed more than 90 million card numbers.

When EPX started tokenizing data, Visa had just begun to formulate the first generation of data security standards.  At first, Visa’s compliance targeted only e-commerce payment gateway operators, not merchants. MasterCard did not initially see the need for standards, so offered data security consulting services. The launching of the Payment Card Industry Security Standards Council was still five years away.

So, understandably, EPX’s breakthrough came with no public fan-fare and unknowable future significance. Our engineers simply were looking for a way to make transaction lifecycles and follow-on transactions more efficient, and our merchant customers more secure.  Being engineers, they didn’t call what they created ‘tokens.”  They called the codes card data “GUIDs” and “Replacement Values.” (Surprising, isn’t it, such a sexy name didn’t catch on?)  The generic catch-word for such codes, “tokens” did not come into vogue until 2005 when Las Vegas payment gateway operator and software licensor, Shift4, Inc. coined the term.  (Shift4’s process of code generation within the merchant’s environment, and their data flow is significantly different from EPX’s off-premises approach, but more or less aims at the same purpose.)

As EPX gained practical experience, naturally we kept evolving and perfecting our technology to make it more effective, practical and efficient.  As breaches kept hitting the headlines, we kept hearing loud and clear from merchants, particularly CTOs, that they would be delighted if they never had possession of the vulnerable cardholder data in the first place. And, they truly loathed having to spend so much time and IT budgets system major (non-ROI) system remediations to comply with new PCI Data Security standards.  With this guidance from the market, along came another set of EPX breakthroughs in 2005.  We invented a number of methods for at-risk card data to be securely captured and stored only by EPX and never routed to the merchant. Ever. We filed for a patent for the sophisticated processes that are now at the heart of EPX’s BuyerWall™ security suite.

As the number and scale of data breaches increased over the years and PCI compliance became mandatory and urgent, the IT Establishment naturally first turned to the familiar techniques they had been taught in schools and had been using for decades: encryption, firewalls and other data “hardening” techniques. Several front-end only gateway operators had been offering forms of tokenization.  There also were several companies providing software-as-service (SaaS) outsourced tokenization and still others selling do-it-yourself in situ tokenization hardware and software to merchants.  Yet, tokenization remained mostly marginalized as an emerging technology …and too-good-to-be-true… by Conventional Wisdom.

Then, a funny thing happened along the way to achieving cardholder security Nirvana:  Heartland.  Heartland Payments and others quickly became iconic in proving that Encryption Does Not Necessarily Equal Security.  Since Heartland, hard-pressed CTOs and cash-strapped CFOs have been gradually opening their minds and wallets to alternative security approaches like tokenization.

Yet, oddly, EPX stood alone for all these years as the ONLY full authorization / capture /clearing / settlement processor providing tokenization.   The giant end-to-end processors like Global Payments, TSYS, Elevon, Fifth Third, and First Data Corporation stayed on the sidelines, leaving it to their merchants to solve the card data security problem on their own. Finally, in 2009 Fifth Third Bank (which has its own in-house front and back-end processing) and then First Data (the world’s largest processor) respectively launched their versions tokenization. JPMorgan Chase’s Paymentech merchant acquiring company is not a self-contained end-to-end processor, but in the past few months has been sporadically promoting its Orbital gateway as having tokenization capabilities…although they appear to be using bolted-on functionality provided by a third-party vendor.

Tokenization is not only a solution for credit cards, but also for other forms of payment.  A few weeks ago, ProPay, a well-respected Salt Lake City-based payment ecommerce gateway company, made a nationwide announcement that it can now can encrypt and then tokenize electronic check routing and account holder data that is used in ACH transactions.  Likewise, on May 19th, Sarasota, NY-based ACH Payments, Inc. said it now will tokenize checking account numbers used in its ACH processing.  ProPay’s COO was quoted as saying: “ProPay is leading the industry and applying the same technology for protecting payment card information to the protection of ACH data…”  We at EPX appreciate the executive’s exuberance; however, the “leading the industry” part was a bit over-stated considering that EPX started tokenizing ACH transaction data as well – more than nine years ago.

EPX always knew that what we innovated in 2001 would not suffice as the complete answer to data protection. Tokenization, for sure, is elegant and powerful…and is especially cost-effective for complex enterprises with lots of locations and transactions. It mitigates the vast majority of cardholder data risk – substituting codes for card numbers stored or “in motion.”  In the case e-commerce transactions, the vulnerable data can be directly captured, encrypted and tokenized from the moment a customer or clerk keys in the data.

However, things are a little more complicated for retail POS “swipe” transactions. The card data can be potentially vulnerable for what I call the “first inch” – i.e., the momentary transit between the magnetic stripe to the point the data reaches the POS terminal or the payment module within a POS retail management systems’ software.  Although only briefly exposed, the can be skimmed or otherwise criminally compromised.  Also, such exposed card data at the front end-point of a transaction remains ‘in scope’ and subject to more cumbersome PCI Data Security Standards reporting.

We at EPX knew this was a problem to be eventually solved.  We watched with particular interest last October as First Data Corporation and RSA (the security division of EMC Corp.) announced their solution: instant encryption as the data is captured by a POS terminal, then tokenization of the data once it is captured by First Data’s processing platform. They call their product (still being field tested) “TransArmor.”

We applaud First Data’s adoption of encryption+tokenization and expect the technology to be a game-changer in the industry due to the huge number of merchants FDC supports.  And we welcomed the recent announcement by TransFirst’s Payment Processing International subsidiary (an ISO with a gateway) of offering encryption+tokenization capability.   However, true-to-form, all this big news is déjà vu for EPX.   In July 2009, EPX already had become the first processor in the world to introduce just such a solution –encryption of data all the way from the mag stripe to EPX’s firewall, then tokenization of the data once it entered our processing environment.  EPX’s encryption + tokenization is functionally consistent with what First Data/RSA and PPI later announced.  EPX uses an encrypting swipe device to capture the vulnerable data.  We hold the only decryption key to the swiped data in our secure processing environment (i.e., neither the merchant nor any other party ever has access to the decryption key).  We and our merchants use EPX BRICs (tokens) exclusively as transaction reference codes for all operational reference purchases thereafter.

These days there are an increasing number of companies offering what might be broadly called “tokenization.”  The differences between approaches can be hard to discern.  The most important differentiator, however, is in the fundamental integrity of the token creation protocols.   From the beginning, EPX engineers had the foresight to not take the obvious short-cut of simply creating the token algorithms from credit card numbers and banking account numbers.  EPX codes, instead, are based upon the unique and very specific characteristics of each specific transaction and its place in time, among other characteristics.  In retrospect, as criminal rings have become so much more skilled at reverse-engineering financial account numbers, we now know how much more secure is the EPX approach than others.  If the card number, or checking account number is not in the merchants systems – or the source of the tokens – the data cannot be stolen and deciphered.  In other words, it has no “street value.”

In the 31 years EPX has been in payments business we have made many breakthroughs by simply pursuing what is most effective, what is most efficient and what serves our merchants best.  We never have waited for others to lead the way, nor will we in the future.

Posted by Charles S. Crawford
Executive Vice President
Strategic DevelopmentElectronic Payment Exchange

Tags: , , , , , , , , , , , , , ,
Posted in EPX Commentary | 2 Comments »

The Surprise Demise of PIN Debit: Debit Networks Have Been Quickly Diminishing The Cost Advantage of PIN vs. Signature Debit

Friday, May 14th, 2010

Most customers could care less whether they enter their 4-digit PIN or sign a sales draft when using their Visa or MasterCard logoed debit card (“check card”) to make a purchase.  The price they pay for goods or services is the same either way.

But the customer’s mode of choice has had a material impact on the cost of the transactions to merchants – at least until recently.  For those merchants that have “interchange-plus” agreements with their banks, allowing for pass-through debit network costs, PIN-debit transactions historically have cost far less than if the same transaction was processed as Signature-debit – i.e. with no PIN validation.  As recently as two years ago, the cost of PIN-debit was as little as half that of a Signature-debit transaction, depending upon the sale amount, merchant type and other factors.

The PIN advantage always was particularly pronounced for merchants selling higher-than-average priced goods and services, i.e. items priced above $40-$50 or so. That was because the debit networks charged more in transaction fees than, say, credit card transactions (about double), but at least they always “capped” the percentage assessed on the sale amount for most transactions. There was a maximum fee for the most common types of transactions no matter what the ticket size.  So, an average retail PIN-debit transaction often would cost no more than 60 or 70 cents all-in.

This was not so for a Signature-debit transaction, however.  Signature-debit was priced like credit card transactions, with fees more or less proportion to the price of the merchandise or services.

The gradual tectonic shift in debit card pricing strategy over the years turned into a tremor felt throughout the payments industry in 2009 when Discover’s PULSE network (the third largest) removed its fee cap on most types of PIN-debit transactions. The Pulse percentage fee now floats with the ticket size for standard transaction types. Since then, the other major EFT networks – Star (First Data Corp.), NYCE (Metavante), Accel/Exchange (FiServ) and CU-24 – have followed suit and have eliminated or moved-up the caps on the most common PIN-debit transactions.

The final and most influential change just occurred in April 2010.  As part of Visa’s semi-annual interchange modifications, Visa raised the Interlink interchange rate for PIN-debit pricing from 75 basis points and $.17 per transaction to 95 basis points and $0.20 for standard transactions.  Visa PIN and Signature pricing are now the same. Considering that Visa’s Interlink debit network has a 40%+ share of the debit card market and that it processes an estimated 73% share  of all Signature-debit transactions, the practical impact of Visa’s change to merchants is likely to be profound.

Rate strategies vary and the devil is in the comparative pricing details between networks and transaction or industry categories. So, there still can be found certain price advantages for PIN-debit for some industries and in some ticket-size scenarios.  However, there no longer is a noticeable safe haven price gap between PIN and Signature to be exploited. That is particularly counter-intuitive considering processing rates traditionally have had some relationship to transaction financial risk; PIN-validated transactions have been viewed as inherently less prone to repudiation, thus less risky to the account holders and banks involved than transactions with signature verification.

Many merchants are resigning themselves to the new reality in which Signature-debit reigns supreme. With little price advantage remaining between PIN and Signature, major industries like pay-at-the-pump fuel operations are seriously are debating whether to make the estimated $20,000 per location investment required to convert current PIN acceptance devices to a new generation of more secure PIN data devices as mandated by the PCI Security Standards Council Data Security Standards .  It even remains to be seen whether Cosco, Home Depot, Wal-Mart and other mega-merchants that, due to the price differential of Signature-debit, have not even offered Signature-debit as an option to POS debit customers, will soon do away with PIN-pads.

Major check card issuing banks have been actively promoting Signature-debit in promotional mailings to their cardholders. They have offered incentives on purchases that only apply when a Signature-debit transaction is made. JPMorganChase, according to news reports, has made the inaccurate inference to its cardholders that Signature-validated transactions are somehow more secure than PIN transactions.  Presumably they are promoting Signature over PIN debit because they make back more money, as card issuers, from the resulting Interchange fees being paid when a Signature-debit transaction is processed via the credit card networks, rather than when a PIN-debit transaction is processed by one of the Electronic Funds Networks (“EFT”) networks.  Now, that difference has been largely negated so there is little need to promote Signature-debit per se.

What is causing the major strategy shift by the EFT networks and Visa?   It is all part of the overarching competition between networks to woo financial institutions to issue cards processed by their networks. The networks make money on the transaction processing (“switch”) fees assessed to every transaction that occurs (from about 3¢ to as much as 8¢ for PIN-debit, depending on the network). The majority of the fees charged to the merchant – per transaction and per sales dollar – are paid to the card issuing bank. So what we have been seeing is essentially a bidding war among the networks to get their brand “bugs” printed on the back of the most cards issued.

Having said that, it is not at all obvious yet just how much of a shift in real fee income will come from all this market re-positioning and effective price parity between PIN and Signature-debit.  Debit cards have become more and more popular in recent years, especially during the recession.  Debit now surpasses credit as the preferred means of POS payment.  But debit cards, in whatever format, still are essentially plastic checks, with more or less the same consumer behavior patterns as cash.  As such, debit transactions might be more common than credit card transactions, but the dollar volume of debit is far from matching total credit card purchase volumes. Understandably, debit purchases are limited to bank account balances.  Higher value goods and services continue to be purchased on credit – although less credit is being extended during the recession.  According to a 2009 PULSE study, the average pin debit transaction in 2008 was about $42 for PIN-debit compared to $37 for Signature-debit. PULSE estimated more a quarter of all debit transactions in 2008 were for purchases of less than $10.  This compares to average retail credit card purchase amounts that are usually approximated to be about $70-$80.

Processing cost is the paramount issue to most merchants, yet there still are several soft reasons for reasons for a continue acceptance of PIN-debit transactions:

  • Customers often are more comfortable with the security of PIN validation.  After all, the card is accessing their bank account. Presumably, only the card owner knows and uses the PIN.
  • There are many consumers without credit cards, or who have reached their limits.  PIN and Signature-debit let the customer make a cash-less purchase with the funds they have in their bank account but happen not to have in their wallet.
  • For the merchant, funds process through the EFT networks almost immediately.  By contrast, a Signature-debit transaction, run through the credit card networks, might take 2-3 days to be debited from the consumer’s account.  This can mean less chance of insufficient funds and sometimes faster credit of sale proceeds to merchants.
  • PIN transactions typically can be completed faster in the check-out line and require less documentation and storage by the merchant.  A PIN-debit transaction has considerably less chance of being repudiated successfully.
  • A PIN-debit transaction allows for cash-back to the cardholder at the POS; this is not possible with a Signature-debit transaction.

Even so, much the appeal of a PIN transaction is proves to be somewhat illusory:
?    While true that PIN-authentication is relatively fool-proof security for a specific transaction, the card remains vulnerable as long there is a Visa or MasterCard logo on the card and the card can be alternatively tendered for a Signature-debit transaction.  Signatures or IDs, obviously, are not always verified by store clerks.

  • Both PIN-debit and Signature-debit cards benefit from consumer protection laws and practices, although the protections come from different laws.  If reported lost or stolen in a timely manner, the cards have a maximum of $50 liability to the account holder.
  • PIN-debit transactions usually do not accrue rewards credits from the issuing banks, whereas Signature-debit cards do.  This feature, alone, is accelerating the shift from PIN to Signature.

There is little merchants can do to shape the system to their benefit.  Merchants are under contractual obligations by their acquiring bank sponsors to accept all cards with a Visa or MasterCard logo. They are prohibited from attempting to “steer” a customer card transaction from one mode of acceptance to another. Card company rules further require merchants with PIN-processing capability to proactively provide customers the choice of making a PIN-debit or Signature-debit transaction.  At best, merchants can only make the threshold decision to either enable acceptance of PIN-debit by making a PIN-pad available at the POS or to accept only Signature-debit transactions at the POS.

Written By: Charles S. Crawford, Executive Vice President for Strategic Development
Electronic Payment Exchange

Tags: , , , , , , , , , , , , ,
Posted in Uncategorized | No Comments »

Evolving Pragmatic Approaches to Payments Security – Part 2 of 2

Wednesday, April 28th, 2010

In this multi-part article, EPX Chief Security Office Matt Ornce comments on the payments security happenings of 2009 and looks forward to 2010.

Evolving Pragmatic Approaches to Payments Security – Part 2 of 2

What’s In Store for 2010 and Beyond

The key payment security events discussed above offer some direction for trends that are likely to continue into 2010 and indicate new areas that will gain prominence.

The well-publicized and continuous stream of data breaches that came to light in 2009 has forced merchants, solution providers, standards organizations, and the card brands themselves to begin taking a more pragmatic approach to payment security. Beyond the actual costs associated with fines, lawsuits, card replacements, and security upgrades, merchants are learning that damaged reputations, negative publicity, and loss of business also have deep and sometimes unsurvivable bottom-line impacts.

A growing recognition of these potential data breach costs has led merchants to challenge the status quo of slowly developing regulations and conventional technologies that together have not been enough to stem the data breach tide. As a result, increasing numbers of merchants are seeking new solutions that materially protect their data.

Increased Focus on Smaller Merchant Compliance

While the number of credit card numbers breached per month has generally been trending down in 2009, there’s no reason to suggest that the total number of breaches will subside any time soon. As larger entities have shored up their defenses, increasingly smaller entities are being directly targeted.

PCI compliance is required for all entities that store, process or transmit cardholder data, and regulatory and risk awareness continues to grow and roll downhill to smaller merchants, who, according to Visa statistics, make up 99% of the merchant base and account for roughly one-third of all transactions. Current PCI compliance deadlines, fines, and threats of loss of processing privileges focus on Level 1 and 2 merchants, but it’s natural to assume that the smaller Level 3 and 4 merchants are next. Several acquirers have already begun to fine their noncompliant Level 3 and 4 merchants in an effort to push them into compliance.

Increased Legislative Threats

Is 2010 the year for state level breach notification laws to be aggregated into federal law? Probably not, but it’s coming, and might actually be a welcome piece of legislation for those organizations who unfortunately need to struggle with the 46 different state laws. Such legislation could also help streamline the current time-sensitive notification process.

Beyond the financial fraud perpetrated for personal gain, the use of breached cardholder data as a funding source for terrorist activities has been clearly established by the Criminal Division of the Department of Justice, the FBI, the U.S. Secret Service and others, providing a clear impetus for federal regulation of cardholder data security.

Continued Challenges to PCI DSS

The PCI DSS will continue to see its share of challenges. As threats continue to evolve and new technologies surpass the standard’s effectiveness, the PCI DSS’s ability to keep pace will be questioned. Certainly, it’s a delicate balance between deploying new standards faster than the market can bear, and reacting slower than the threats evolve.

New technologies and new threats will always be ahead of the pace of regulation. The PCI Council’s investigation into technologies that help merchants achieve compliance and protect the payment system is certainly encouraging, but the codified results of the PWC study may not be seen for another 12 to 24 months. Meanwhile, the market will inevitably continue to evolve, maturing existing technologies and developing new. The council needs to find the means to distribute guidance faster, even if it’s through the use of best practice bulletins, like Visa’s, that can be issued quickly and eventually adopted into the DSS as requirements.

Until standards for the new technologies are sanctioned, there will be a greater reliance on merchants and QSAs to understand the differences in implementations and their implications on cardholder data security.

Mainstream Acceptance of New Technologies Currently Outside of PCI

With increased security risks and pressure to comply with PCI, merchants will flock to solutions that remove cardholder data from their environments in even greater numbers in 2010. Even though many of the technologies have existed for years, they were considered fringe players until only recently. Compounding the issue, especially with tokenization, has been a flood of new vendors to the space, which has created an impression that the entire field is populated with products that are only months old.

While planned product announcements by larger industry players like First Data, RSA, Hypercom and others may help legitimize these technologies, announcements won’t help merchants against current threats or regulation. Merchants will continue to seek the vendors already in the space and will now be able to gauge them by the guidance provided in the PWC Technology Review and Visa DFE-BP. The Visa DFE-BP especially helps merchants make more informed decisions about tokenization and E2E. Early adopters have already seen the benefits of each of the aforementioned technologies in reducing PCI DSS scope and improving cardholder data security.

Combining Technologies

The preliminary PWC findings suggest that E2E and tokenization can each reduce PCI scope when they are implemented independently of each other, and Visa’s best practices illustrate that they can be combined to even greater effect. As individual technologies become more mainstream, merchants will recognize even greater cardholder data protection from the hybrid solutions.

End-to-end encryption and tokenization are complementary technologies that provide protection for a different part of the transaction, as hinted at in the Visa DFE-BP. E2E, of course, protects the request portion of the POS transaction by encrypting track data from the swipe to the processor. Tokens provided in the response portion of the transaction provide protection “for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.” Used together, merchants dramatically reduce their risk without necessarily impacting their customers’ checkout experiences.

In ecommerce, outsourcing the page that takes cardholder data, in combination with using tokens, is another way technologies can be combined for even greater security. Merchants will reduce risk and PCI scope by eliminating card numbers in their processing systems with cardholder data being taken directly from the consumer and given directly to the PCI-compliant outsourced provider. Depending on the solution, they may still be able to maintain full control over their customer’s checkout experience without taking cardholder data.

Clarification of Technologies

The Visa DFE-BP provides an excellent starting point for best practices regarding E2E and tokenization implementations, but the PCI Council does not currently plan on providing definitive guidance on the topic until late 2010. To assist the PCI Council in establishing guidelines, I have submitted the following points as minimum goals for E2E and tokenization deployments:

  • New methodologies must be vetted for security and practicality, which can take years to certify. However, the reapplication of existing standards, such as TDES and DUKPT, is a legitimate strategy to reduce or eliminate this delay.
  • Encryption must start at the swipe reader. Anything beyond that point opens an area of vulnerability for the merchant.
  • The endpoint, from the merchant’s perspective, must be at least the next upstream provider. The farther upstream the data can stay encrypted, the better it is for the security of the entire payment industry. At the very least, the data should be kept out of plaintext at the merchant’s location.
  • Merchants cannot have access to E2E encryption keys. Granting them access to the keys would defeat the purpose and value of encryption within the merchant environment and would throw PCI key management requirements back to the merchant.
  • Tokens should have no relationship to the card numbers they protect so that they cannot be reverse engineered. (Format-preserving encryption is in this category, and should therefore be avoided.)
  • Merchants should allow providers to generate tokens. If tokens are generated in-house, then corresponding card data must also be kept in-house, which defeats much of the merchant benefit of tokenization. In such a scenario, merchants are still responsible for data protection and liable for data loss. They would see no regulatory relief or PCI scope reduction.

Conclusion

While the influential payment security events of 2009 have caused some instability and uncertainty in the payments industry, we need to view the events and the lessons learned from them as opportunities for solution providers to further define and shape the industry in 2010.

Discussions of best practices and PCI DSS revisions are constructive, but it’s not enough to merely talk about change. The marketplace needs solutions today. It is incumbent upon us to offer our support and guidance to the PCI Council and card organizations with hopes that we can bring about positive change in the near term.

Likewise, in 2010 we will see the true innovators in payment security continue to deliver powerful and proven solutions to the marketplace, while the announcements of planned products get lost in the shuffle. As merchants continue to gain knowledge about data breach risks and PCI compliance, they will become savvy in recognizing technologies that are nothing more than promises or vaporware, and they will move toward accepting solutions from providers with proven track records.

MATT ORNCE is the CSO of Electronic Payment Exchange, and has more than 20 years experience in IT, payments and security.

Tags: , , , , , , , , , , , , ,
Posted in Uncategorized | No Comments »

EPX Protects Payment Data During the Transaction Lifecycle, But Consumers Must Safeguard their Credit Cards and Debit Cards at All Times

Tuesday, January 12th, 2010

Electronic Payment Exchange’s industry leading tokenization and encryption technologies protect payment data throughout the transaction lifecycle. Independent of EPX however, identity theft occurs constantly as a result of insecure consumer practices before any card data enters the transaction lifecyle. Therefore, it is important for credit and debit card users to practice high levels of safety when performing transactions.

Below is a list of important safety tips for credit and debit card users to follow:

  • If you have applied for a new/replacement card, and have not received it within 14 business days, immediately contact your financial institution.
  • Activate your new/replacement card once you receive it in the mail. Be sure to remove the sticker from the card once activated.
  • Sign the back of the credit/debit card as soon as you receive it.
  • Memorize your Personal Identification Number (PIN). Never write the PIN on the back of the debit card, or on a piece of paper and keep it in your wallet.
  • Never share your PIN with anyone. No one from a financial institution, police, or any merchants should ask for your PIN.
  • Never lend your credit/debit card to anyone. No one else should have access to it.
  • Protect your credit/debit card as if it were cash! Never let your card out of your sight.
  • Do not leave your credit/debit card in your vehicle.
  • Report lost or stolen credit/debit cards immediately! During business hours, contact your local bank branch. Once you have received your new card, notify all merchants with whom you have set up automatic billing payments of the new card number.
  • Be aware of others nearby when entering your PIN. Shield the screen or keyboard of the POS terminal or ATM machine to prevent those nearby from viewing your PIN entry or transaction amount.
  • Do not volunteer any personal information when using your credit/debit card.
  • Do not give you social security number, credit/debit card number, or any bank account information over the phone unless you have initiated the call, and you know that the business you are dealing with is reputable.
  • Before leaving the cashier, make sure you receive your credit/debit card back after every purchase.
  • Be careful with any receipts; do not leave them behind.
  • Always check your sales receipt for the correct purchase amount prior to signing. Keep copies of your sales and ATM receipts for future reference.
  • Verify the purchase amount on each receipt with the transaction amounts on the bank statements.
  • If you do not receive your monthly statement within a timely manner, contact your financial institution.
  • Contact your local financial institution for any changes made to your address or phone number. Keep your contact information current at all times so that your bank can contact you when necessary.
  • Shred all credit/debit card receipts or confidential information prior to placing it in the trash.
  • If you receive credit card applications in the mail, shred them before placing them in the trash. This prevents anyone from filling out the application in your name and receiving the card. If you choose to fill out an application, make sure the application is from a reputable financial institution.
  • Shred all expired credit/debit cards before placing them in the trash. Some paper shredders are capable of shredding the cards, or use a pair of scissors to cut the cards up into small pieces.
  • Keep track of every credit/debit card owned. Keep a confidential list of issuer telephone numbers in a secure location.
  • Avoid carrying extra credit/debit cards in your wallet or purse. Carry only the cards that you use frequently.
  • Never send payment information via email. Go directly to the web site and log into your account.
  • When making a purchase online, make sure you are using a secured browser. All reputable merchant web sites use an encryption technology that protects your personal data from being compromised by others while conducting online transactions.
  • Never provide your credit/debit card as proof of age. A credit/debit card does not contain information that verifies the card holder’s age. Some merchants my request the card number, show them your driver’s license instead.
  • Avoid using your PIN when using your debit card to make a purchase. It is best to just run the debit card like a credit card.
  • Be aware of emails that request personal data such as: PINs, Social Security Number (SSN), personal passwords, mailing address, or phone numbers. Plus emails that send you to a web site that request such information. Best thing to do is to delete the email.
  • Be aware of solicitors posing as representatives from a credit card or financial institution, calling to tell you that there has been some fraudulent activity on your account and requests your account number, PIN number, social security number or the three digit code located on the back of your card. If a financial institution contacts you due to suspicious activity, they would never ask for personal information to verify your transaction. Best thing to do is hang up and contact your bank institute to verify the status of your account.
  • When using an ATM machine, observe the surrounding area. If the machine is obstructed from view, or poorly lit, locate another ATM machine to perform your transaction. Report the condition to the financial institution responsible for that ATM machine.
  • Prior to using an ATM machine, be sure to inspect the card reader area for evidence of tampering. If there is evidence of tampering, contact the owner of the ATM to report the problem.
  • When using a drive-through ATM machine, make sure that all passenger windows are closed, and the doors are locked. This will prevent anyone form accessing your card while performing a transaction.
  • If using an indoor ATM machine that requires you to use a card to gain access, do not allow any unknown individuals in with you.

If credit and debit card users would perform at least half of these suggested security tips, the number of identity thefts and fraudulent transactions happening each day would be reduced.

For additional information about identity theft, click here.

Tags: , , , , , , , , , , , , , ,
Posted in EPX Commentary | No Comments »

Will Accepting Credit Cards Increase Sales?

Monday, December 7th, 2009

Accepting credit cards as a means of payments can definitely increase sales, but you need to select a credit card processor that will help your organization achieve PCI compliance, point you in the right direction, provide needed assistance, and charge competitive rates.

An article, recently published on ArticlesFactory.com (“Overview of Credit Card Payment Processing System” by Surajk Kumar), suggests that a considerable increase of profits can be gained with the right credit card processor to accept major credit and debit cards for payments. The article discusses streamlining the flow of payments and the ability to except payments anywhere in the world.

When searching for a credit card processor and related tools, consider the following:

  • How long has the payment processor been in business?
  • What types of credit cards do they process?
  • Can their system except and convert multi-currency types?
  • What are the credit card processing fees and debit card processing fees?
  • Does the processor offer solutions that help your organization achieve PCI compliance?
  • Does the payment processor also accept ACH payments?

As the credit/debit card industry continues to grow, more new and powerful credit card program options become available. EPX continues to design new ways for businesses, large or small, to except major credit/debit cards, which will increase profits for your business.

EPX has developed a solution called EPX vPost which emulates the basic functionality of a point-of-sale terminal. EPX vPost is a robust, browser-based terminal, hosted by EPX, that handles keyed and swiped transaction authorizations. EPX vPost is designed to handle transactions from high-volume merchants, which includes:

  • Point of Sale swipe
  • PIN debit
  • Mail order / telephone order
  • Ecommerce

EPX vPost offers real-time credit/debit card authorizations, including AVS and CVV checks. The program enables the merchant to customize the look and feel of their individual implementations. With the ability to manually enter or swipe credit/debit cards for sales transactions, EPX has also designed the program to support check readers and receipt printers allowing merchants to have additional options.

In addition, EPX vPost, as well as all of EPX’s BuyerWall-based solutions, help merchants achieve PCI compliance.

Tags: , , , , , , , , , , ,
Posted in EPX Commentary | No Comments »