The Green Sheet Online Edition
September 14, 2009 • Issue 09:09:01
Protecting data, easing compliance
A new product from Boston-based ISO Merchant Warehouse may remove a crucial portion of Payment Card Industry (PCI) Data Security Standard (DSS) compliance work from the scope of both merchants and POS developers.
The product, MerchantWARE TransPort, is software that integrates with existing POS systems and appropriates the task of capturing credit card transactions.
"This would be the equivalent of running your accounting package and credit card processing application totally separate from each other," said Henry Helgeson, President and co-Chief Executive Officer of Merchant Warehouse.
"We've said OK, run your POS software, work your kitchen printers and your order entry and everything else you need to, and when it comes time to give us a credit card transaction, just give us an amount and a payment type, and we'll take it from there."
Moving data to keep it safe
Helgeson said MerchantWARE TransPort captures card data almost immediately after it enters a POS system and re-routs it - taking it out of the merchant environment and directing it to MerchantWARE's gateway via a secure sockets layer route. Once there, the information is tokenized and returned to the merchant in a form that is unreadable to potential hackers.
As Helgeson explained, payment data is traditionally moved by the POS system sending transactions directly to the processing front-end.
But MerchantWare Transport works differently. "Instead of the terminal dialing out or calling out to the processor, what it will now do is send it to our MerchantWARE server and then we'll go ahead and make the connection to whatever front-end we choose," he said.
"No card data is stored on the system itself, so it's a one-time use. When you swipe that card and it comes through to us, there is nothing stored on the system after that. For any other transactions - for example, a void - we've left a token in the software that allows us to void the transaction without card data having to be stored on the POS system or the merchant's computer itself."
Alleviates several burdens
Helgeson said MerchantWARE Transport eases the burden on merchants and POS manufacturers in different ways. One way is it "streamlines the [PCI] audit" by effectively removing the chore of Payment Application (PA) DSS compliance and allowing merchants to fill out a much simpler self-assessment questionnaire, he said.
It also mitigates the financial burden of compliance. The costs of PCI audits can be huge - $10,000 or more - and outsourcing the job of payment data capture can lower that figure significantly, according to Helgeson.
Lastly, keeping payment data out of merchants' hands significantly reduces the threat of data breaches, Helgeson noted. He said vulnerabilities often arise in merchants' payment systems because the developers of such systems aren't "always specialists in credit card transactions and security" and are apt to leave security holes.
He added that while MerchantWARE TransPort is being marketed to merchants of all types, it is meant particularly for smaller merchant environments. "It has probably impacted merchants the most that have specialty POS systems, smaller types of systems," he said. "The smaller, niche merchants, they're working typically fewer installations, meaning they typically have less employees, less income, less resources. ... I wouldn't expect a large development house to do something like that; it has the resources to do a PA-DSS audit."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.