Posts Tagged ‘encryption’

EPX Welcomes Third-Party Validations of Tokenization and Payment Processing Outsourcing

Tuesday, July 20th, 2010

Editor’s Note: It’s always encouraging to see EPX competitors follow in our footsteps. Just as competitors are following our lead by touting the benefits of tokenization technology, several competitors are even beginning to issue press releases that mirror ours. I guess imitation is the sincerest form of flattery.

Electronic Payment Exchange (EPX), a full-service payment processing organization, announced today that their organization welcomes the recent third-party validations of cardholder data tokenization and payment processing outsourcing. Newly announced global industry best practices for tokenization from Visa Inc. validate EPX’s long-standing deployment of tokenization technology for securing cardholder data. Additionally, a June 2010 security brief from RSA supports EPX’s approach to tokenized payment processing outsourcing by referencing an EPX client case study that shows how tokenization and payment processing outsourcing reduce merchant costs and other burdens associated with securing cardholder data.

The recent release of Visa’s tokenization best practices provides valuable guidance to merchant organizations seeking to utilize tokenization solutions for securing cardholder data. As the first organization in the payments industry to engineer and deploy tokenization technology, EPX welcomes Visa’s focus on and validation of tokenization solutions.

In version 1.0 of the Visa Best Practices for Tokenization document, Visa establishes best practices related to four critical components of tokenization: token generation, token mapping, card data vault, and cryptographic key management. Visa provides further recommendations regarding tokenization system configuration, implementation, and management, and offers guidance on the management of historical data.

EPX, which has offered merchants tokenization technology since 2001, abides by one hundred percent of the best practices established by Visa and views the best practices as reinforcement of EPX’s approach to tokenization. According to EPX Chief Security Officer Matt Ornce, “Visa is now confirming what we have been saying and practicing for years. Merchants that properly implement a sound tokenization solution are able to limit cardholder data storage in their environments. In turn, this simplifies merchant PCI DSS assessments by reducing the scope of their compliance requirements, associated costs, and implementation. This makes merchants of any size more secure and brings them into compliance easier, faster, and with less expense.”

Further validating EPX’s approach to payment data security, a June 2010 security brief released by RSA provides insight into how tokenization can be combined with payment processing outsourcing to relieve merchants of the burden and potential costs associated with securing cardholder payment data. Using an EPX client who annually processes tens of thousands of ecommerce transactions as an example, RSA pointed out that the merchant organization substantially reduced its PCI compliance burden. The security brief also establishes that, over the next several years, many payment processing organizations will introduce outsourced payment services to manage cardholder data risks on behalf of merchants. The brief provides additional insight by stating that the most effective outsourced payment services will use a combination of tokenization and encryption.

EPX has provided payment card security outsourcing for ten years and was the first payment processor to actually market, sell, and implement a solution that uses both tokenization and encryption for securing card data from the card swipe through the entire transaction lifecycle. By processing through EPX, individual merchants have reduced their initial PCI compliance burden by millions of dollars and continue to realize significant annual savings.

EPX welcomes the third-party validation of payment processing outsourcing and the use of tokenization plus encryption technologies. “It is great to see that leaders in the payments and security industries are recognizing EPX’s accomplishments,” EPX Chief Executive Officer Ray Moyer said.

Tags: , , , , , , , , , , , , , , ,
Posted in EPX Commentary, EPX News, Payments Industry News | No Comments »

The Tokenization Bandwagon Is Music to Our Ears

Wednesday, June 23rd, 2010

In May, EPX issued a press release entitled “Electronic Payment Exchange Enters its Tenth Year of Issuing Tokens for Securing Credit Card and ACH Transaction.” The fact that EPX pioneered such a novel and important technology for protecting merchants and cardholders from the risk of data compromise was not unusual.  Our company was founded in 1979 as the first independent processor of electronic checks for merchants. Since then, we’ve been consistently bringing important innovations to market.   But giving merchants and consumers the protections of  credit card data “tokenization” in early 2001 was all-the-more impressive when seen in the context of the Times.

Back then, cardholder data security was not exactly the front-of the-forehead issue that it is today.  There had not been a notable card data breach in the 35 years since revolving credit cards had been used. The first relatively large and publicized incident came just after the Y2K ball dropped in Times Square in January 2000. Online retailer CD Universe exposed 300,000 customer card records.  (Of course nowadays a breach exposing a mere 300,000 records would be considered a lucky break.) Since that first major incident, ever more damaging breaches have occurred like clockwork. Two were of Guinness proportions: retailer TJX in 2007 and processor Heartland Payments in 2009, both of which reportedly exposed more than 90 million card numbers.

When EPX started tokenizing data, Visa had just begun to formulate the first generation of data security standards.  At first, Visa’s compliance targeted only e-commerce payment gateway operators, not merchants. MasterCard did not initially see the need for standards, so offered data security consulting services. The launching of the Payment Card Industry Security Standards Council was still five years away.

So, understandably, EPX’s breakthrough came with no public fan-fare and unknowable future significance. Our engineers simply were looking for a way to make transaction lifecycles and follow-on transactions more efficient, and our merchant customers more secure.  Being engineers, they didn’t call what they created ‘tokens.”  They called the codes card data “GUIDs” and “Replacement Values.” (Surprising, isn’t it, such a sexy name didn’t catch on?)  The generic catch-word for such codes, “tokens” did not come into vogue until 2005 when Las Vegas payment gateway operator and software licensor, Shift4, Inc. coined the term.  (Shift4’s process of code generation within the merchant’s environment, and their data flow is significantly different from EPX’s off-premises approach, but more or less aims at the same purpose.)

As EPX gained practical experience, naturally we kept evolving and perfecting our technology to make it more effective, practical and efficient.  As breaches kept hitting the headlines, we kept hearing loud and clear from merchants, particularly CTOs, that they would be delighted if they never had possession of the vulnerable cardholder data in the first place. And, they truly loathed having to spend so much time and IT budgets system major (non-ROI) system remediations to comply with new PCI Data Security standards.  With this guidance from the market, along came another set of EPX breakthroughs in 2005.  We invented a number of methods for at-risk card data to be securely captured and stored only by EPX and never routed to the merchant. Ever. We filed for a patent for the sophisticated processes that are now at the heart of EPX’s BuyerWall™ security suite.

As the number and scale of data breaches increased over the years and PCI compliance became mandatory and urgent, the IT Establishment naturally first turned to the familiar techniques they had been taught in schools and had been using for decades: encryption, firewalls and other data “hardening” techniques. Several front-end only gateway operators had been offering forms of tokenization.  There also were several companies providing software-as-service (SaaS) outsourced tokenization and still others selling do-it-yourself in situ tokenization hardware and software to merchants.  Yet, tokenization remained mostly marginalized as an emerging technology …and too-good-to-be-true… by Conventional Wisdom.

Then, a funny thing happened along the way to achieving cardholder security Nirvana:  Heartland.  Heartland Payments and others quickly became iconic in proving that Encryption Does Not Necessarily Equal Security.  Since Heartland, hard-pressed CTOs and cash-strapped CFOs have been gradually opening their minds and wallets to alternative security approaches like tokenization.

Yet, oddly, EPX stood alone for all these years as the ONLY full authorization / capture /clearing / settlement processor providing tokenization.   The giant end-to-end processors like Global Payments, TSYS, Elevon, Fifth Third, and First Data Corporation stayed on the sidelines, leaving it to their merchants to solve the card data security problem on their own. Finally, in 2009 Fifth Third Bank (which has its own in-house front and back-end processing) and then First Data (the world’s largest processor) respectively launched their versions tokenization. JPMorgan Chase’s Paymentech merchant acquiring company is not a self-contained end-to-end processor, but in the past few months has been sporadically promoting its Orbital gateway as having tokenization capabilities…although they appear to be using bolted-on functionality provided by a third-party vendor.

Tokenization is not only a solution for credit cards, but also for other forms of payment.  A few weeks ago, ProPay, a well-respected Salt Lake City-based payment ecommerce gateway company, made a nationwide announcement that it can now can encrypt and then tokenize electronic check routing and account holder data that is used in ACH transactions.  Likewise, on May 19th, Sarasota, NY-based ACH Payments, Inc. said it now will tokenize checking account numbers used in its ACH processing.  ProPay’s COO was quoted as saying: “ProPay is leading the industry and applying the same technology for protecting payment card information to the protection of ACH data…”  We at EPX appreciate the executive’s exuberance; however, the “leading the industry” part was a bit over-stated considering that EPX started tokenizing ACH transaction data as well – more than nine years ago.

EPX always knew that what we innovated in 2001 would not suffice as the complete answer to data protection. Tokenization, for sure, is elegant and powerful…and is especially cost-effective for complex enterprises with lots of locations and transactions. It mitigates the vast majority of cardholder data risk – substituting codes for card numbers stored or “in motion.”  In the case e-commerce transactions, the vulnerable data can be directly captured, encrypted and tokenized from the moment a customer or clerk keys in the data.

However, things are a little more complicated for retail POS “swipe” transactions. The card data can be potentially vulnerable for what I call the “first inch” – i.e., the momentary transit between the magnetic stripe to the point the data reaches the POS terminal or the payment module within a POS retail management systems’ software.  Although only briefly exposed, the can be skimmed or otherwise criminally compromised.  Also, such exposed card data at the front end-point of a transaction remains ‘in scope’ and subject to more cumbersome PCI Data Security Standards reporting.

We at EPX knew this was a problem to be eventually solved.  We watched with particular interest last October as First Data Corporation and RSA (the security division of EMC Corp.) announced their solution: instant encryption as the data is captured by a POS terminal, then tokenization of the data once it is captured by First Data’s processing platform. They call their product (still being field tested) “TransArmor.”

We applaud First Data’s adoption of encryption+tokenization and expect the technology to be a game-changer in the industry due to the huge number of merchants FDC supports.  And we welcomed the recent announcement by TransFirst’s Payment Processing International subsidiary (an ISO with a gateway) of offering encryption+tokenization capability.   However, true-to-form, all this big news is déjà vu for EPX.   In July 2009, EPX already had become the first processor in the world to introduce just such a solution –encryption of data all the way from the mag stripe to EPX’s firewall, then tokenization of the data once it entered our processing environment.  EPX’s encryption + tokenization is functionally consistent with what First Data/RSA and PPI later announced.  EPX uses an encrypting swipe device to capture the vulnerable data.  We hold the only decryption key to the swiped data in our secure processing environment (i.e., neither the merchant nor any other party ever has access to the decryption key).  We and our merchants use EPX BRICs (tokens) exclusively as transaction reference codes for all operational reference purchases thereafter.

These days there are an increasing number of companies offering what might be broadly called “tokenization.”  The differences between approaches can be hard to discern.  The most important differentiator, however, is in the fundamental integrity of the token creation protocols.   From the beginning, EPX engineers had the foresight to not take the obvious short-cut of simply creating the token algorithms from credit card numbers and banking account numbers.  EPX codes, instead, are based upon the unique and very specific characteristics of each specific transaction and its place in time, among other characteristics.  In retrospect, as criminal rings have become so much more skilled at reverse-engineering financial account numbers, we now know how much more secure is the EPX approach than others.  If the card number, or checking account number is not in the merchants systems – or the source of the tokens – the data cannot be stolen and deciphered.  In other words, it has no “street value.”

In the 31 years EPX has been in payments business we have made many breakthroughs by simply pursuing what is most effective, what is most efficient and what serves our merchants best.  We never have waited for others to lead the way, nor will we in the future.

Posted by Charles S. Crawford
Executive Vice President
Strategic DevelopmentElectronic Payment Exchange

Tags: , , , , , , , , , , , , , ,
Posted in EPX Commentary | 2 Comments »

EPX Protects Payment Data During the Transaction Lifecycle, But Consumers Must Safeguard their Credit Cards and Debit Cards at All Times

Tuesday, January 12th, 2010

Electronic Payment Exchange’s industry leading tokenization and encryption technologies protect payment data throughout the transaction lifecycle. Independent of EPX however, identity theft occurs constantly as a result of insecure consumer practices before any card data enters the transaction lifecyle. Therefore, it is important for credit and debit card users to practice high levels of safety when performing transactions.

Below is a list of important safety tips for credit and debit card users to follow:

  • If you have applied for a new/replacement card, and have not received it within 14 business days, immediately contact your financial institution.
  • Activate your new/replacement card once you receive it in the mail. Be sure to remove the sticker from the card once activated.
  • Sign the back of the credit/debit card as soon as you receive it.
  • Memorize your Personal Identification Number (PIN). Never write the PIN on the back of the debit card, or on a piece of paper and keep it in your wallet.
  • Never share your PIN with anyone. No one from a financial institution, police, or any merchants should ask for your PIN.
  • Never lend your credit/debit card to anyone. No one else should have access to it.
  • Protect your credit/debit card as if it were cash! Never let your card out of your sight.
  • Do not leave your credit/debit card in your vehicle.
  • Report lost or stolen credit/debit cards immediately! During business hours, contact your local bank branch. Once you have received your new card, notify all merchants with whom you have set up automatic billing payments of the new card number.
  • Be aware of others nearby when entering your PIN. Shield the screen or keyboard of the POS terminal or ATM machine to prevent those nearby from viewing your PIN entry or transaction amount.
  • Do not volunteer any personal information when using your credit/debit card.
  • Do not give you social security number, credit/debit card number, or any bank account information over the phone unless you have initiated the call, and you know that the business you are dealing with is reputable.
  • Before leaving the cashier, make sure you receive your credit/debit card back after every purchase.
  • Be careful with any receipts; do not leave them behind.
  • Always check your sales receipt for the correct purchase amount prior to signing. Keep copies of your sales and ATM receipts for future reference.
  • Verify the purchase amount on each receipt with the transaction amounts on the bank statements.
  • If you do not receive your monthly statement within a timely manner, contact your financial institution.
  • Contact your local financial institution for any changes made to your address or phone number. Keep your contact information current at all times so that your bank can contact you when necessary.
  • Shred all credit/debit card receipts or confidential information prior to placing it in the trash.
  • If you receive credit card applications in the mail, shred them before placing them in the trash. This prevents anyone from filling out the application in your name and receiving the card. If you choose to fill out an application, make sure the application is from a reputable financial institution.
  • Shred all expired credit/debit cards before placing them in the trash. Some paper shredders are capable of shredding the cards, or use a pair of scissors to cut the cards up into small pieces.
  • Keep track of every credit/debit card owned. Keep a confidential list of issuer telephone numbers in a secure location.
  • Avoid carrying extra credit/debit cards in your wallet or purse. Carry only the cards that you use frequently.
  • Never send payment information via email. Go directly to the web site and log into your account.
  • When making a purchase online, make sure you are using a secured browser. All reputable merchant web sites use an encryption technology that protects your personal data from being compromised by others while conducting online transactions.
  • Never provide your credit/debit card as proof of age. A credit/debit card does not contain information that verifies the card holder’s age. Some merchants my request the card number, show them your driver’s license instead.
  • Avoid using your PIN when using your debit card to make a purchase. It is best to just run the debit card like a credit card.
  • Be aware of emails that request personal data such as: PINs, Social Security Number (SSN), personal passwords, mailing address, or phone numbers. Plus emails that send you to a web site that request such information. Best thing to do is to delete the email.
  • Be aware of solicitors posing as representatives from a credit card or financial institution, calling to tell you that there has been some fraudulent activity on your account and requests your account number, PIN number, social security number or the three digit code located on the back of your card. If a financial institution contacts you due to suspicious activity, they would never ask for personal information to verify your transaction. Best thing to do is hang up and contact your bank institute to verify the status of your account.
  • When using an ATM machine, observe the surrounding area. If the machine is obstructed from view, or poorly lit, locate another ATM machine to perform your transaction. Report the condition to the financial institution responsible for that ATM machine.
  • Prior to using an ATM machine, be sure to inspect the card reader area for evidence of tampering. If there is evidence of tampering, contact the owner of the ATM to report the problem.
  • When using a drive-through ATM machine, make sure that all passenger windows are closed, and the doors are locked. This will prevent anyone form accessing your card while performing a transaction.
  • If using an indoor ATM machine that requires you to use a card to gain access, do not allow any unknown individuals in with you.

If credit and debit card users would perform at least half of these suggested security tips, the number of identity thefts and fraudulent transactions happening each day would be reduced.

For additional information about identity theft, click here.

Tags: , , , , , , , , , , , , , ,
Posted in EPX Commentary | No Comments »

In Search Of A Quick Fix For Cardholder Data Security, Merchants Need Not Look So Far

Friday, December 18th, 2009

By: Charles Crawford

In a by-lined piece published in cio.com, well-respected security expert and author Ben Rothke wrote “…people don’t want to invest in long-term security plans. They want their security band-aid now, despite the fact they have never built security into their designs or processes.”  He went on to praise the PCI Security Council’s vision: “The genius of the PCI DSS (and when PCI is compared to regulations such as SoX and GLBA, genius is indeed an appropriate term) is that it has sensible concepts such as an open formal feedback process, trend analysis, impact evaluation, guidance and much more built into the very fabric of the standard.”

I find myself usually agreeing with Rothke’s well-reasoned perspectives.  Indeed, it is especially easy to agree that businesses should have a culture that promotes holistic security, must not consider compliance an end unto itself, and that the processes of security must evolve ahead of the threats.

Where I take issue with Rothke’s article, “PCI Debate Ignores Planned Improvement Cycle,” is in the apparent limitation of his perspective to traditional security remediation solutions.  If the path to sufficient cardholder data security certainty can be achieved only through ratcheted, ever-more-effective and pervasive layers of encryption, firewalling, intrusion prevention and other hardening, then I suppose Rothke’s point is well taken, albeit worrisome. What follows logically is that merchants should “man up” and embrace a future of never ending “improvement cycles” that require lots of money, effort, time and discipline (notably external discipline) in their quixotic journey toward “breach-proof” data.

What is taken too lightly is the role innovation already is playing.   Less costly and pragmatic ways of avoiding data compromise are fast gaining acceptance as viable alternative among recession-weary merchants.

The PCI Council got it right when they set as milestone #1 of their Prioritized Approach to Pursue Standard Compliance Remove sensitive authentication data and limit data retention.” EPX, for one, provides merchants a pre-emptive solution with exactly that purpose: total elimination of cardholder data from merchant systems so that it can’t be lost or stolen.

Conventional thinking is for merchants to use matrix of remedial techniques, gambling that the data they hold will so be perfectly  sequestered and disguised it might not get compromised – at least, if everything works as planned and criminals don’t get any more clever.

EPX, on the other hand, concluded that the surest way to avoid data loss is for the merchant never to have the data in the first place. Instead of keeping card data, EPX merchants operate normally using GUID transaction reference codes called BRICs.  BRICs are used as card numbers would otherwise be, for transaction receipts, customer service returns, refunds, chargeback responses, follow-on purchases and all other operational and financial purposes.   BRICs are not encryptions and not derived from credit card numbers, therefore have no street value if lost or stolen from the merchant.

For EPX, tokenization comes as no band-wagon initiative like we now are seeing from Paymentech, First Data and others. In fact, EPX started routinely processing with “replacement values codes” in 2001 …three years before the first PCI Standards were published.  Our processes evolved over the years into the comprehensive, patent-pending suite of cardholder data security technologies we now call BuyerWall™.

As the Council and many others have said, there is no “silver bullet,” no single solution – even tokenization.  We make no claim that EPX BRICs are such.  Yet, properly constructed and managed tokenization also is no “band-aid” that Rothke so wisely mocks. When the card numbers are gone, they’re gone. There’s not much left for the merchant to safeguard. And, once implemented, EPX requires no extraordinary “improvement cycles” or investments to maintain the security of the data.  In fact, security of the data becomes a responsibility for which EPX is well prepared, since, as a processor, we have always had to take special care with data and are subject to the PCI SCC’s most rigorous compliance requirements (Level 1).

Is it so, that “people want their…security now No doubt about it. But, I say “why not?” Merchants deserve pragmatic solutions that can achieve even a higher standard of security without costly and cumbersome techniques that may or may not ultimately prove effective enough.

Rothke says there is genius in the PCI’s process of ever-evolving standards.  I think their real genius of the Council is its professed technologic agnosticism which, generally, is supposed to allow merchants to achieve card data security with whatever technology and processes work best for them.  In that spirit, merchants have more to choose from than Rothke seemed to acknowledge.

—————————–

Charles Crawford is EVP of Strategic Development for EPX

[1] http://www.cio.com/article/495093/PCI_Debate_Ignores_Planned_Improvement_Cycle?taxonomyId=3000; June 2009

Tags: , , , , , , , , , , , , , , , ,
Posted in Uncategorized | No Comments »

Electronic Payment Exchange Welcomes New Visa Best Practices for Data Field Encryption

Thursday, October 22nd, 2009

EPX BuyerWall uses data field encryption to protect card information from the swipe to the acquirer processor

Electronic Payment Exchange (EPX), a leading merchant acquirer and payment processor, said today that the recent Visa release of data field encryption best practices provides welcome leadership to merchants, technology professionals, and vendors looking for practical ways to reduce the risk of data breach. EPX is the first payment processor to offer a true end-to-end solution that endorses and incorporates both tokenization and encryption for securing cardholder data from the card reader through the entire transaction lifecycle, and believes the Visa best practices validate their approach.

The best practices for data field encryption (also known as end-to-end encryption or point-to-point encryption) announced by Visa on October 5, 2009 work toward developing a standard approach while offering guidance to payment solution providers. Visa establishes five key implementation objectives for payment providers who deploy end-to-end encryption: limiting the availability of cleartext cardholder and authentication data; using robust key management solutions that are consistent with international standards; using key lengths and cryptographic algorithms that are consistent with international standards; protecting cryptographic devices from physical/logical compromises; and using alternate identifiers for business processes that require the account number after authorization.

“The technologies built into EPX BuyerWall go hand-in-hand with the data field encryption objectives established in the Visa best practices document,” says EPX Chief Security Officer Matt Ornce. “Using encrypted card readers with our EPX BuyerWall solution satisfies Visa’s objectives and provides strong protection for merchants against potential data breaches.”

According to the Visa data field encryption best practices document, “no single technology can completely solve for fraud.”

Ornce wholeheartedly agrees. “EPX’s solution uses both end-to-end encryption to encrypt card data from the point of sale, and tokenization on the back end of the transaction,” he says. “Encryption at the card reader protects merchants against potential breaches before card numbers even leave the swipe for authorization. EPX BuyerWall tokenization replaces account numbers with values that are meaningless to would-be thieves and cannot be reverse-engineered to reveal the card numbers. Combined, they provide unparalleled fraud protection for a merchant’s customers.”

Tags: , , , , , , , , , , ,
Posted in EPX Commentary, EPX News, Payments Industry News | No Comments »