The Green Sheet Online Edition
August 24, 2009 • Issue 09:08:02
EPX, joining end-to-end and tokenization
Payment processor Electronic Payment Exchange recently launched a data security system for merchants that combines end-to-end encryption and tokenization, two of the industry's most exalted solutions for securing card data. The company said it is the payments industry's first processor to develop a product that joins the two.
"There maybe are a few entities that have tokenization as a real product today, and there are a bunch of entities talking about doing end-to-end encryption for the merchant, but we haven't heard of anybody combining the two, much less delivering the product to the market," said Matt Ornce, Chief Operating Officer for EPX.
EPX Vice President of Sales Jason Gwynn said the joint encryption-tokenization system has been implemented at one merchant location so far, and "several more are lined up that have anxiously been waiting for us to officially release this."
How it works
According to Ornce, the new product keeps card data encrypted from the point of swipe until tokenization goes into effect. Card data that's immediately encrypted at a merchant's store remains that way until a token is substituted and sent back to the merchant - keeping all sensitive card data out of merchant hands, where it has historically been most vulnerable.
"It basically picks the credit card information up directly from the consumer, and goes around the merchant system, brings that information to us - EPX's processor - where we integrate the token [and] pass that token back so the merchant has a reference for that transaction," Ornce said. "From that token they can take actions against that intial transaction - issue a refund or void the transaction. The merchant doesn't have to touch the card number and doesn't even get the opportunity to store the data.
"The part [that isn't tokenized] is from the card reader to our posted Web application that we use in conjunction with tokenization. So the end-to-end encryption provides protection for that track data from the instant that it's swiped through to delivery to us as the processor."
Industry more security-minded
Paul Grill, a Partner at payments industry-focused First Annapolis Consulting, said EPX's new solution is part of a larger trend of more intense security practices among merchant acquirers and vendors.
"I think you look at the EPX announcement in combination with some other activities we've seen amongst the major acquirers, as well as some smaller vendors, you see this trend toward layering in a couple different technologies together," Grill said. "Maybe you're starting with the baseline of PCI compliance, if you will, and the regular blocking and tackling of information and data security and then layering on top of that these additional enhancements.
"I couldn't give you a good answer as to whether or not this will be infallible, but certainly the concept of tokenization does put in an extra and more significant set of barriers."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.