Posts Tagged ‘payment processor’

« Older Entries

EPX Online Payment Processing Recognized as “One of the Best Options Available” by TopTenReviews.com

Friday, September 3rd, 2010

EPX has been officially recognized by TopTenReviews.com as one of the best providers of online credit card processing. TopTenReviews.com also provided a non-biased review of EPX and our processing technology.

Tokenization technology has been one of the key features of EPX payment processing for more than 10 years. The fact that other processors are starting to follow our lead is not surprising considering Visa recently published their tokenization best practices. With more consumers turning to non-cash payment forms, merchants will realize the importance of securing their data using the industry-leading methods provided by EPX’s tokenization technology.

The editors at TopTenReviews.com see absolute value in EPX’s tokenization technology.

“Overall, we are very impressed with the service to accept credit cards online with EPX. The innovative use of tokenization provides a level of security we didn’t see elsewhere, and we wouldn’t be surprised to see others follow their example.”

EPX provides significant cost savings to our clients when dealing with interchange fees. Other processors take the easy way out and charge flat fees regardless of what the interchange rate actually turns out to be. What they don’t take in to consideration is that interchange rates are freely available to merchants on the Visa and MasterCard websites, and a little research would show the massive price differences. Processors try to look good by offering Preferred tier rates, but they don’t tell merchants that most of their transactions will not qualify for the Preferred rate.

EPX passes the interchange rate through directly to our clients, with no hidden costs. In essence, all transactions get the rate they deserve, especially because EPX utilizes its interchange optimization technology on every client and every transaction to make sure all the savings are realized.

The editors at TopTenReviews.com also give high marks to our approach to pricing.

“But even better, they don’t use a traditional tiered discount rate system. While other merchant account providers simply dump every transaction into a pre-defined “bucket” or tier with an assigned rate, this company uses interchange optimization technology to match individual transactions to the best rate possible. You can be sure that you’re getting the lowest fee for each transaction, regardless of the specifics or individual exceptions.”

Chargebacks are a reality for any business and are usually a paper-intensive, time-consuming part of your operation. With EPX webSuite, your organization can receive and adjudicate chargebacks online — leading to time and cost savings. TopTenReviews.com addresses EPX’s superior approach to addressing chargebacks.

“While chargebacks are a part of online credit card processing, they don’t have to be a pain. You can eliminate the weeks of paperwork by taking care of chargeback adjudication online. Furthermore, the company will back you up and help you deal with rebuttals rather than leaving you to fend for yourself on chargebacks.”

Not only are chargebacks automatically linked to their respective transactions, but adding notes and attachments, and then accepting or representing the chargeback couldn’t get any easier with EPX webSuite. In some cases, our EPX Relationship Managers and Chargeback Specialists will even do the work for you. All of your chargebacks are centralized in one location and available for reporting on demand, and for those chargebacks that you do accept, they’re separated out on your billing statement so you don’t have to go digging for facts. EPX statements are easy to read and full of information.

Read the full review online at http://accept-credit-cards-online-review.toptenreviews.com/ and http://accept-credit-cards-online-review.toptenreviews.com/epx-review.html.

Tags: , , , , , , , ,
Posted in EPX Commentary | No Comments »

The Tokenization Bandwagon Is Music to Our Ears

Wednesday, June 23rd, 2010

In May, EPX issued a press release entitled “Electronic Payment Exchange Enters its Tenth Year of Issuing Tokens for Securing Credit Card and ACH Transaction.” The fact that EPX pioneered such a novel and important technology for protecting merchants and cardholders from the risk of data compromise was not unusual.  Our company was founded in 1979 as the first independent processor of electronic checks for merchants. Since then, we’ve been consistently bringing important innovations to market.   But giving merchants and consumers the protections of  credit card data “tokenization” in early 2001 was all-the-more impressive when seen in the context of the Times.

Back then, cardholder data security was not exactly the front-of the-forehead issue that it is today.  There had not been a notable card data breach in the 35 years since revolving credit cards had been used. The first relatively large and publicized incident came just after the Y2K ball dropped in Times Square in January 2000. Online retailer CD Universe exposed 300,000 customer card records.  (Of course nowadays a breach exposing a mere 300,000 records would be considered a lucky break.) Since that first major incident, ever more damaging breaches have occurred like clockwork. Two were of Guinness proportions: retailer TJX in 2007 and processor Heartland Payments in 2009, both of which reportedly exposed more than 90 million card numbers.

When EPX started tokenizing data, Visa had just begun to formulate the first generation of data security standards.  At first, Visa’s compliance targeted only e-commerce payment gateway operators, not merchants. MasterCard did not initially see the need for standards, so offered data security consulting services. The launching of the Payment Card Industry Security Standards Council was still five years away.

So, understandably, EPX’s breakthrough came with no public fan-fare and unknowable future significance. Our engineers simply were looking for a way to make transaction lifecycles and follow-on transactions more efficient, and our merchant customers more secure.  Being engineers, they didn’t call what they created ‘tokens.”  They called the codes card data “GUIDs” and “Replacement Values.” (Surprising, isn’t it, such a sexy name didn’t catch on?)  The generic catch-word for such codes, “tokens” did not come into vogue until 2005 when Las Vegas payment gateway operator and software licensor, Shift4, Inc. coined the term.  (Shift4’s process of code generation within the merchant’s environment, and their data flow is significantly different from EPX’s off-premises approach, but more or less aims at the same purpose.)

As EPX gained practical experience, naturally we kept evolving and perfecting our technology to make it more effective, practical and efficient.  As breaches kept hitting the headlines, we kept hearing loud and clear from merchants, particularly CTOs, that they would be delighted if they never had possession of the vulnerable cardholder data in the first place. And, they truly loathed having to spend so much time and IT budgets system major (non-ROI) system remediations to comply with new PCI Data Security standards.  With this guidance from the market, along came another set of EPX breakthroughs in 2005.  We invented a number of methods for at-risk card data to be securely captured and stored only by EPX and never routed to the merchant. Ever. We filed for a patent for the sophisticated processes that are now at the heart of EPX’s BuyerWall™ security suite.

As the number and scale of data breaches increased over the years and PCI compliance became mandatory and urgent, the IT Establishment naturally first turned to the familiar techniques they had been taught in schools and had been using for decades: encryption, firewalls and other data “hardening” techniques. Several front-end only gateway operators had been offering forms of tokenization.  There also were several companies providing software-as-service (SaaS) outsourced tokenization and still others selling do-it-yourself in situ tokenization hardware and software to merchants.  Yet, tokenization remained mostly marginalized as an emerging technology …and too-good-to-be-true… by Conventional Wisdom.

Then, a funny thing happened along the way to achieving cardholder security Nirvana:  Heartland.  Heartland Payments and others quickly became iconic in proving that Encryption Does Not Necessarily Equal Security.  Since Heartland, hard-pressed CTOs and cash-strapped CFOs have been gradually opening their minds and wallets to alternative security approaches like tokenization.

Yet, oddly, EPX stood alone for all these years as the ONLY full authorization / capture /clearing / settlement processor providing tokenization.   The giant end-to-end processors like Global Payments, TSYS, Elevon, Fifth Third, and First Data Corporation stayed on the sidelines, leaving it to their merchants to solve the card data security problem on their own. Finally, in 2009 Fifth Third Bank (which has its own in-house front and back-end processing) and then First Data (the world’s largest processor) respectively launched their versions tokenization. JPMorgan Chase’s Paymentech merchant acquiring company is not a self-contained end-to-end processor, but in the past few months has been sporadically promoting its Orbital gateway as having tokenization capabilities…although they appear to be using bolted-on functionality provided by a third-party vendor.

Tokenization is not only a solution for credit cards, but also for other forms of payment.  A few weeks ago, ProPay, a well-respected Salt Lake City-based payment ecommerce gateway company, made a nationwide announcement that it can now can encrypt and then tokenize electronic check routing and account holder data that is used in ACH transactions.  Likewise, on May 19th, Sarasota, NY-based ACH Payments, Inc. said it now will tokenize checking account numbers used in its ACH processing.  ProPay’s COO was quoted as saying: “ProPay is leading the industry and applying the same technology for protecting payment card information to the protection of ACH data…”  We at EPX appreciate the executive’s exuberance; however, the “leading the industry” part was a bit over-stated considering that EPX started tokenizing ACH transaction data as well – more than nine years ago.

EPX always knew that what we innovated in 2001 would not suffice as the complete answer to data protection. Tokenization, for sure, is elegant and powerful…and is especially cost-effective for complex enterprises with lots of locations and transactions. It mitigates the vast majority of cardholder data risk – substituting codes for card numbers stored or “in motion.”  In the case e-commerce transactions, the vulnerable data can be directly captured, encrypted and tokenized from the moment a customer or clerk keys in the data.

However, things are a little more complicated for retail POS “swipe” transactions. The card data can be potentially vulnerable for what I call the “first inch” – i.e., the momentary transit between the magnetic stripe to the point the data reaches the POS terminal or the payment module within a POS retail management systems’ software.  Although only briefly exposed, the can be skimmed or otherwise criminally compromised.  Also, such exposed card data at the front end-point of a transaction remains ‘in scope’ and subject to more cumbersome PCI Data Security Standards reporting.

We at EPX knew this was a problem to be eventually solved.  We watched with particular interest last October as First Data Corporation and RSA (the security division of EMC Corp.) announced their solution: instant encryption as the data is captured by a POS terminal, then tokenization of the data once it is captured by First Data’s processing platform. They call their product (still being field tested) “TransArmor.”

We applaud First Data’s adoption of encryption+tokenization and expect the technology to be a game-changer in the industry due to the huge number of merchants FDC supports.  And we welcomed the recent announcement by TransFirst’s Payment Processing International subsidiary (an ISO with a gateway) of offering encryption+tokenization capability.   However, true-to-form, all this big news is déjà vu for EPX.   In July 2009, EPX already had become the first processor in the world to introduce just such a solution –encryption of data all the way from the mag stripe to EPX’s firewall, then tokenization of the data once it entered our processing environment.  EPX’s encryption + tokenization is functionally consistent with what First Data/RSA and PPI later announced.  EPX uses an encrypting swipe device to capture the vulnerable data.  We hold the only decryption key to the swiped data in our secure processing environment (i.e., neither the merchant nor any other party ever has access to the decryption key).  We and our merchants use EPX BRICs (tokens) exclusively as transaction reference codes for all operational reference purchases thereafter.

These days there are an increasing number of companies offering what might be broadly called “tokenization.”  The differences between approaches can be hard to discern.  The most important differentiator, however, is in the fundamental integrity of the token creation protocols.   From the beginning, EPX engineers had the foresight to not take the obvious short-cut of simply creating the token algorithms from credit card numbers and banking account numbers.  EPX codes, instead, are based upon the unique and very specific characteristics of each specific transaction and its place in time, among other characteristics.  In retrospect, as criminal rings have become so much more skilled at reverse-engineering financial account numbers, we now know how much more secure is the EPX approach than others.  If the card number, or checking account number is not in the merchants systems – or the source of the tokens – the data cannot be stolen and deciphered.  In other words, it has no “street value.”

In the 31 years EPX has been in payments business we have made many breakthroughs by simply pursuing what is most effective, what is most efficient and what serves our merchants best.  We never have waited for others to lead the way, nor will we in the future.

Posted by Charles S. Crawford
Executive Vice President
Strategic DevelopmentElectronic Payment Exchange

Tags: , , , , , , , , , , , , , ,
Posted in EPX Commentary | 2 Comments »

The Surprise Demise of PIN Debit: Debit Networks Have Been Quickly Diminishing The Cost Advantage of PIN vs. Signature Debit

Friday, May 14th, 2010

Most customers could care less whether they enter their 4-digit PIN or sign a sales draft when using their Visa or MasterCard logoed debit card (“check card”) to make a purchase.  The price they pay for goods or services is the same either way.

But the customer’s mode of choice has had a material impact on the cost of the transactions to merchants – at least until recently.  For those merchants that have “interchange-plus” agreements with their banks, allowing for pass-through debit network costs, PIN-debit transactions historically have cost far less than if the same transaction was processed as Signature-debit – i.e. with no PIN validation.  As recently as two years ago, the cost of PIN-debit was as little as half that of a Signature-debit transaction, depending upon the sale amount, merchant type and other factors.

The PIN advantage always was particularly pronounced for merchants selling higher-than-average priced goods and services, i.e. items priced above $40-$50 or so. That was because the debit networks charged more in transaction fees than, say, credit card transactions (about double), but at least they always “capped” the percentage assessed on the sale amount for most transactions. There was a maximum fee for the most common types of transactions no matter what the ticket size.  So, an average retail PIN-debit transaction often would cost no more than 60 or 70 cents all-in.

This was not so for a Signature-debit transaction, however.  Signature-debit was priced like credit card transactions, with fees more or less proportion to the price of the merchandise or services.

The gradual tectonic shift in debit card pricing strategy over the years turned into a tremor felt throughout the payments industry in 2009 when Discover’s PULSE network (the third largest) removed its fee cap on most types of PIN-debit transactions. The Pulse percentage fee now floats with the ticket size for standard transaction types. Since then, the other major EFT networks – Star (First Data Corp.), NYCE (Metavante), Accel/Exchange (FiServ) and CU-24 – have followed suit and have eliminated or moved-up the caps on the most common PIN-debit transactions.

The final and most influential change just occurred in April 2010.  As part of Visa’s semi-annual interchange modifications, Visa raised the Interlink interchange rate for PIN-debit pricing from 75 basis points and $.17 per transaction to 95 basis points and $0.20 for standard transactions.  Visa PIN and Signature pricing are now the same. Considering that Visa’s Interlink debit network has a 40%+ share of the debit card market and that it processes an estimated 73% share  of all Signature-debit transactions, the practical impact of Visa’s change to merchants is likely to be profound.

Rate strategies vary and the devil is in the comparative pricing details between networks and transaction or industry categories. So, there still can be found certain price advantages for PIN-debit for some industries and in some ticket-size scenarios.  However, there no longer is a noticeable safe haven price gap between PIN and Signature to be exploited. That is particularly counter-intuitive considering processing rates traditionally have had some relationship to transaction financial risk; PIN-validated transactions have been viewed as inherently less prone to repudiation, thus less risky to the account holders and banks involved than transactions with signature verification.

Many merchants are resigning themselves to the new reality in which Signature-debit reigns supreme. With little price advantage remaining between PIN and Signature, major industries like pay-at-the-pump fuel operations are seriously are debating whether to make the estimated $20,000 per location investment required to convert current PIN acceptance devices to a new generation of more secure PIN data devices as mandated by the PCI Security Standards Council Data Security Standards .  It even remains to be seen whether Cosco, Home Depot, Wal-Mart and other mega-merchants that, due to the price differential of Signature-debit, have not even offered Signature-debit as an option to POS debit customers, will soon do away with PIN-pads.

Major check card issuing banks have been actively promoting Signature-debit in promotional mailings to their cardholders. They have offered incentives on purchases that only apply when a Signature-debit transaction is made. JPMorganChase, according to news reports, has made the inaccurate inference to its cardholders that Signature-validated transactions are somehow more secure than PIN transactions.  Presumably they are promoting Signature over PIN debit because they make back more money, as card issuers, from the resulting Interchange fees being paid when a Signature-debit transaction is processed via the credit card networks, rather than when a PIN-debit transaction is processed by one of the Electronic Funds Networks (“EFT”) networks.  Now, that difference has been largely negated so there is little need to promote Signature-debit per se.

What is causing the major strategy shift by the EFT networks and Visa?   It is all part of the overarching competition between networks to woo financial institutions to issue cards processed by their networks. The networks make money on the transaction processing (“switch”) fees assessed to every transaction that occurs (from about 3¢ to as much as 8¢ for PIN-debit, depending on the network). The majority of the fees charged to the merchant – per transaction and per sales dollar – are paid to the card issuing bank. So what we have been seeing is essentially a bidding war among the networks to get their brand “bugs” printed on the back of the most cards issued.

Having said that, it is not at all obvious yet just how much of a shift in real fee income will come from all this market re-positioning and effective price parity between PIN and Signature-debit.  Debit cards have become more and more popular in recent years, especially during the recession.  Debit now surpasses credit as the preferred means of POS payment.  But debit cards, in whatever format, still are essentially plastic checks, with more or less the same consumer behavior patterns as cash.  As such, debit transactions might be more common than credit card transactions, but the dollar volume of debit is far from matching total credit card purchase volumes. Understandably, debit purchases are limited to bank account balances.  Higher value goods and services continue to be purchased on credit – although less credit is being extended during the recession.  According to a 2009 PULSE study, the average pin debit transaction in 2008 was about $42 for PIN-debit compared to $37 for Signature-debit. PULSE estimated more a quarter of all debit transactions in 2008 were for purchases of less than $10.  This compares to average retail credit card purchase amounts that are usually approximated to be about $70-$80.

Processing cost is the paramount issue to most merchants, yet there still are several soft reasons for reasons for a continue acceptance of PIN-debit transactions:

  • Customers often are more comfortable with the security of PIN validation.  After all, the card is accessing their bank account. Presumably, only the card owner knows and uses the PIN.
  • There are many consumers without credit cards, or who have reached their limits.  PIN and Signature-debit let the customer make a cash-less purchase with the funds they have in their bank account but happen not to have in their wallet.
  • For the merchant, funds process through the EFT networks almost immediately.  By contrast, a Signature-debit transaction, run through the credit card networks, might take 2-3 days to be debited from the consumer’s account.  This can mean less chance of insufficient funds and sometimes faster credit of sale proceeds to merchants.
  • PIN transactions typically can be completed faster in the check-out line and require less documentation and storage by the merchant.  A PIN-debit transaction has considerably less chance of being repudiated successfully.
  • A PIN-debit transaction allows for cash-back to the cardholder at the POS; this is not possible with a Signature-debit transaction.

Even so, much the appeal of a PIN transaction is proves to be somewhat illusory:
?    While true that PIN-authentication is relatively fool-proof security for a specific transaction, the card remains vulnerable as long there is a Visa or MasterCard logo on the card and the card can be alternatively tendered for a Signature-debit transaction.  Signatures or IDs, obviously, are not always verified by store clerks.

  • Both PIN-debit and Signature-debit cards benefit from consumer protection laws and practices, although the protections come from different laws.  If reported lost or stolen in a timely manner, the cards have a maximum of $50 liability to the account holder.
  • PIN-debit transactions usually do not accrue rewards credits from the issuing banks, whereas Signature-debit cards do.  This feature, alone, is accelerating the shift from PIN to Signature.

There is little merchants can do to shape the system to their benefit.  Merchants are under contractual obligations by their acquiring bank sponsors to accept all cards with a Visa or MasterCard logo. They are prohibited from attempting to “steer” a customer card transaction from one mode of acceptance to another. Card company rules further require merchants with PIN-processing capability to proactively provide customers the choice of making a PIN-debit or Signature-debit transaction.  At best, merchants can only make the threshold decision to either enable acceptance of PIN-debit by making a PIN-pad available at the POS or to accept only Signature-debit transactions at the POS.

Written By: Charles S. Crawford, Executive Vice President for Strategic Development
Electronic Payment Exchange

Tags: , , , , , , , , , , , , ,
Posted in Uncategorized | No Comments »

More Merchants Taking Advantage of “Pin-Less” Debit Transactions to Lower Transaction Costs

Wednesday, December 30th, 2009

Increasing numbers of merchants now are allowed to process bank-issued debit cards online or over the phone without PIN validation. Those merchants qualified to accept PIN-less debit payment can take advantage of all-in costs, which can be far below the expense of a credit card or a debit card transaction processed through the credit card networks.

Electronic Payment Exchange (EPX) is one of a very few payment processors technically set-up and certified to submit “PIN-less” debit transactions directly to the three electronic funds transaction (EFT) networks that currently waive PIN validation for certain card-not-present transactions:  STAR, Pulse and NYCE.

In a PIN-less debit transaction, a customer supplies his/her bank ATM card information to make a web or phone payment to an eligible merchant. The debit is linked to the customer’s bank account, but normally includes a Visa or MasterCard logo. Before the transaction, the cardholder is given the choice of using the card as a “signature debit” transaction, or a PIN-less debit payment. If it is a signature debit transaction, the transaction is processed through the Visa and MasterCard networks without PIN entry, just like an online credit card transaction except that the funds are deducted directly from the cardholder’s depository account, not billed to the customer by the bank. If the customer chooses to make a PIN-less debit transaction, the transaction is routed by EPX directly to the EFT network with which the card issuing bank has a processing agreement. As with any ATM or debit transaction, PIN-less card transactions result in funds deducted in near real-time from the cardholder’s posted bank account balance.

Since there is greater inherent risk of loss from a transaction without PIN validation, the EFT networks limit the privilege of PIN-less debit transaction processing to a range of merchants within authorized industry sub-sectors. The transactions from permitted sectors are assumed to be safer because these businesses commonly take payments from known customers for routine billings.

The list of permitted industry sectors varies by EFT network. At a minimum, the list includes:

  • Utilities (electric power, natural gas, telephone, cable, cellular, satellite, etc.)
  • Government agency payments (taxes, fees, fines and penalties, etc.)
  • Education providers (tuition payments)
  • Insurance providers (property, casualty, health and life)
  • Closed-end loan payments (mortgage and motor vehicle)
  • Rent/lease payments

STAR and NYCE allow a somewhat broader range of merchant types to submit PIN-less debit transactions than does the Pulse network. The list of allowed merchant types is expanding steadily as the EFT networks gain experience from PIN-less transactions.

Each EFT network has a distinct schedule of fees and policies for PIN-less debit transactions. The fee calculations are a bit complicated because they can vary by the specific SIC code, whether the merchant is in an “emerging” market, and because of the differences in pricing strategies among the networks. The greatest comparative advantage over credit card rates comes when a customer chooses to make payment with a STAR- or NYCE-affiliated debit card and the billing amount is higher than $100.00 (as often is the case for utilities, insurance companies, property manager and other favored business segments).

For comparison, consider a $200.00 online or phone credit card or “signature debit” transaction versus a PIN-less debit payment. Processed as a credit card, the merchant’s rate for a non-face-to-face transaction might typically be 2.10% or more of the face amount, plus $0.20 per transaction. The total cost to the merchant would therefore be $4.40. If the PIN-debit were accepted by the STAR network, the highest fees would be 14.5 cents for the transaction plus 0.65% on the dollar amount – but the total is capped at $1.00 in percentage fees. Therefore, the total cost of that PIN-less debit transaction would be $1.45 – a savings of about two-thirds over a credit card or signature debit transaction in this scenario.

The savings realized from PIN-less debit quite case-specific to the network, merchant type and transaction size. For instance, if the transaction were run on the NYCE network, the cost would be fairly comparable to STAR for that size of transaction. However, if the card happened to be Pulse-affiliated, the overall fees would compare more closely to the cost of credit card or signature debit processing. In 2009, Pulse (owned by Discover) removed its ceiling on the percentage rate charged for PIN-less debit transactions, and the percentage fee is about a third greater than STAR or NYCE.

The network to which each transaction is routed is determined by the bank that issued the debit card. Each debit card issuer has a processing agreement in place with one or another EFT network. Most issuing banks are affiliated with one of the big three independent networks (STAR, Pulse or NYCE). If the card tendered is not one of their own, these EFT networks route transactions to the correct network.

PIN-less debit transactions differ from credit card, signature debit, or ACH transactions in several other ways, including:

  • EFT rules require that the customer with a  branded debit card be given the choice of processing their debit card as a PIN-less transaction or a “signature debit;”
  • PIN-less transactions post against the customer’s depository account in near-real-time through the EFT networks, whereas an ACH payment may take 2 or more days to post.
  • Authorization codes are not always received for PIN-less transactions, but such codes – unlike with credit card transactions – are not required for funding of the PIN-less debit transactions.
  • Account solvency is immediately determinable. However, merchants assume the risk of non-sufficient funds (“NSF”), stop payment, or fraudulent transactions — just as would be the case if they processed a check or ACH transaction.
  • It is unnecessary to request a capture of the transaction since the transaction is authorized by, and the funds moved by, the EFT networks
  • For a credit card transaction, you can typically process an authorization reversal. This is not the case with a PIN-less debit transaction
  • There is no credit feature for PIN-less debit. Refunds are possible only by issuing the customer cash, check, store credit or other forms of reimbursement
  • PIN-less cards do not a accrue rewards benefits as often

Some PIN-less debit can provide significant cost savings and other advantages for authorized merchants, if those merchants have the sophistication and discipline to proactively encourage consumers to pay with EFT debit cards that offer the greatest marginal transaction savings.

Merchants can learn more about PIN-less debit transaction from EPX by contacting sales@epx.com or an EPX account manager.

– Charles Crawford, EPX EVP for Strategic Development

Tags: , , , , , , , , , , , , , , , ,
Posted in EPX Commentary, Payments Industry News | 1 Comment »

In Search Of A Quick Fix For Cardholder Data Security, Merchants Need Not Look So Far

Friday, December 18th, 2009

By: Charles Crawford

In a by-lined piece published in cio.com, well-respected security expert and author Ben Rothke wrote “…people don’t want to invest in long-term security plans. They want their security band-aid now, despite the fact they have never built security into their designs or processes.”  He went on to praise the PCI Security Council’s vision: “The genius of the PCI DSS (and when PCI is compared to regulations such as SoX and GLBA, genius is indeed an appropriate term) is that it has sensible concepts such as an open formal feedback process, trend analysis, impact evaluation, guidance and much more built into the very fabric of the standard.”

I find myself usually agreeing with Rothke’s well-reasoned perspectives.  Indeed, it is especially easy to agree that businesses should have a culture that promotes holistic security, must not consider compliance an end unto itself, and that the processes of security must evolve ahead of the threats.

Where I take issue with Rothke’s article, “PCI Debate Ignores Planned Improvement Cycle,” is in the apparent limitation of his perspective to traditional security remediation solutions.  If the path to sufficient cardholder data security certainty can be achieved only through ratcheted, ever-more-effective and pervasive layers of encryption, firewalling, intrusion prevention and other hardening, then I suppose Rothke’s point is well taken, albeit worrisome. What follows logically is that merchants should “man up” and embrace a future of never ending “improvement cycles” that require lots of money, effort, time and discipline (notably external discipline) in their quixotic journey toward “breach-proof” data.

What is taken too lightly is the role innovation already is playing.   Less costly and pragmatic ways of avoiding data compromise are fast gaining acceptance as viable alternative among recession-weary merchants.

The PCI Council got it right when they set as milestone #1 of their Prioritized Approach to Pursue Standard Compliance Remove sensitive authentication data and limit data retention.” EPX, for one, provides merchants a pre-emptive solution with exactly that purpose: total elimination of cardholder data from merchant systems so that it can’t be lost or stolen.

Conventional thinking is for merchants to use matrix of remedial techniques, gambling that the data they hold will so be perfectly  sequestered and disguised it might not get compromised – at least, if everything works as planned and criminals don’t get any more clever.

EPX, on the other hand, concluded that the surest way to avoid data loss is for the merchant never to have the data in the first place. Instead of keeping card data, EPX merchants operate normally using GUID transaction reference codes called BRICs.  BRICs are used as card numbers would otherwise be, for transaction receipts, customer service returns, refunds, chargeback responses, follow-on purchases and all other operational and financial purposes.   BRICs are not encryptions and not derived from credit card numbers, therefore have no street value if lost or stolen from the merchant.

For EPX, tokenization comes as no band-wagon initiative like we now are seeing from Paymentech, First Data and others. In fact, EPX started routinely processing with “replacement values codes” in 2001 …three years before the first PCI Standards were published.  Our processes evolved over the years into the comprehensive, patent-pending suite of cardholder data security technologies we now call BuyerWall™.

As the Council and many others have said, there is no “silver bullet,” no single solution – even tokenization.  We make no claim that EPX BRICs are such.  Yet, properly constructed and managed tokenization also is no “band-aid” that Rothke so wisely mocks. When the card numbers are gone, they’re gone. There’s not much left for the merchant to safeguard. And, once implemented, EPX requires no extraordinary “improvement cycles” or investments to maintain the security of the data.  In fact, security of the data becomes a responsibility for which EPX is well prepared, since, as a processor, we have always had to take special care with data and are subject to the PCI SCC’s most rigorous compliance requirements (Level 1).

Is it so, that “people want their…security now No doubt about it. But, I say “why not?” Merchants deserve pragmatic solutions that can achieve even a higher standard of security without costly and cumbersome techniques that may or may not ultimately prove effective enough.

Rothke says there is genius in the PCI’s process of ever-evolving standards.  I think their real genius of the Council is its professed technologic agnosticism which, generally, is supposed to allow merchants to achieve card data security with whatever technology and processes work best for them.  In that spirit, merchants have more to choose from than Rothke seemed to acknowledge.

—————————–

Charles Crawford is EVP of Strategic Development for EPX

[1] http://www.cio.com/article/495093/PCI_Debate_Ignores_Planned_Improvement_Cycle?taxonomyId=3000; June 2009

Tags: , , , , , , , , , , , , , , , ,
Posted in Uncategorized | No Comments »

Payment Processing Outsourcing Is Gaining Acceptance Among Merchants

Monday, December 14th, 2009

In a recent Practical eCommerce article by Kevin Patrick Allen titled “PCI Exec Suggests Payment Outsourcing for Smaller Merchants,” Allen interviewed Troy Leach, chief technology officer of the PCI Security Standards Council.

In the interview, Leach discusses an industry trend in which smaller merchants are outsourcing their payment processing and PCI compliance validation to third-party organizations who have technical know-how, payment processing knowledge, and PCI compliance expertise.

[Smaller merchants are] “recognizing they don’t have a dedicated IT shop in house,” said Leach. “They don’t have dedicated security staff that can support ongoing security. What they need to do is to outsource to a service provider that has that security skill set that has that fundamental understanding of just how a payment process works.”

We at Electronic Payment Exchange (EPX) believe that Leach is right on track with his assessment. The Payment Card Industry (PCI) – an association of card issuers including Visa, MasterCard, American Express and Discover – requires all merchants that process, transmit, or store cardholder data to meet a set of Data Security Standards (DSS). Normally, achieving these standards requires an enormous investment of both time and money from merchants.

Rather than asking merchants to deal with the technical burdens and expenses of meeting the standards and building and maintaining their own credit card processing and ACH processing solutions, EPX provides hosted solutions that facilitate payment processing and help merchants reach PCI compliance.

In fact, EPX been encouraging merchants for years to outsource their payment processing and PCI compliance needs to EPX. Realizing the increased focus on PCI-compliance, EPX is revolutionizing the payments industry through the development of fully integrated payment solutions that enable merchants to efficiently, securely, and cost-effectively process credit card, debit card, stored value, and ACH payments. By incorporating our patent-pending BuyerWall™ technology into our solutions, we lead the way in helping merchants achieve PCI compliance.

To read the full Practical eCommerce article, see http://www.practicalecommerce.com/articles/1439-PCI-Exec-Suggests-Payment-Outsourcing-for-Smaller-Merchants.

Tags: , , , , , , , , ,
Posted in EPX Commentary, Payments Industry News | No Comments »

« Older Entries