Thursday, November 5, 2009
The race to secure POS transaction data is heating up as terminal manufacturers, acquirers and Visa Inc. scramble to get the upper hand with new techniques like data encryption. Heartland Payment Systems Inc. thrust the debate into the limelight earlier this year with its discovery of a massive data breach despite indications that it had been in compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS sets a baseline for securing cardholder data.
The discovery set Heartland on a quest for a fail-safe security regimen featuring end-to-end encryption. Heartland's effort, known as the E3 Project, is intended to safeguard cardholder data both at rest and in motion, from the moment a card gets swiped at the merchant's checkout, and throughout the exchange, processing and settlement steps.
"We're steadfastly committed to strengthening payments security through the development of end-to-end encryption and industrywide collaboration," Heartland's chairman and Chief Executive Officer, Robert O. Carr, said in September.
Heartland's efforts hit a snag, when, by its account, the company was unable to find a domestic manufacture that could help it bring to market POS devices that employed E3 technologies. So it turned to a Taiwanese firm, Unelectra International Corp., which developed an E3 terminal that Heartland hopes to roll out in the United States as its new NP3000 POS device.
It was a move that sent both VeriFone and Heartland to court, with VeriFone claiming the NP3000 infringes on one of its patents, and Heartland accusing VeriFone of restraint of trade by trying to put the kibosh on the NP3000.
The dueling lawsuits, however, have done little to stymie either company's efforts to win the race to bring the next generation of data security to the POS.
On Oct. 27, 2009, VeriFone heralded a partnership with Chase Paymentech Solutions LLC, one of the largest merchant acquirers, to market end-to-end encryption technologies to Paymentech merchants under the product name VeriShield Protect. VeriShield Protect, which VeriFone notes is compliant with encryption best practices introduced by Visa, builds on the security expertise of Semtek Corp., a technology firm that VeriFone has made a major investment in.
Semtek developed an encryption solution that VeriFone said will work with existing POS systems with "minimal" disruptions in or modifications to merchant operations.
"Joining forces with Chase Paymentech will ensure that a significant merchant population will have full access to the best proven security solution available today," noted Semtek CEO Patrick Hazel in an Oct. 27 statement. "This is very good news for retailers and for consumers."
That news came just days following word from Heartland of a "strategic relationship" with terminal manufacturer Hypercom Corp. Heartland is licensing Hypercom's SmartPayments server software to use on its processing platform (branded as Heartland Connect Gateway) and thereby ensure that Hypercom terminals can support E3 technologies.
Visa's encryption best practices, announced on Oct. 5, 2009, are seen as a way to help boost card data security without abandoning the PCI DSS, which was originally developed by Visa.
"While no single technology will help solve fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach," said Eduardo Perez, Visa's Chief of Global Data Security. Perez added that while encryption is a good idea, it's not a replacement for the PCI DSS, "which remains the best protection against a data compromise."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.