The Payments Processing Information Sharing Council is urging the payments industry to expand the standardization of card system protocols. The strategy will no doubt face resistance, as proponents seek to overcome vested interests.
The PPISC, a forum for sharing fraud threats within the payments industry, issued a policy statement March 23, 2010, calling on vendors of payment hardware and software "to develop cost-effective security solutions that promote open architectures, interoperability and the potential for widespread adoption."
The council believes competing proprietary methods for authentication, encryption and tokenization lead to higher overall costs to the payment system. The adoption of open architectures would support emerging technologies that can protect the system infrastructure from attacks, according to the statement. "The primary goal of this policy statement is enhancing the security of the entire payments processing infrastructure," PPISC Vice-Chair Rick Van Luvender, First Data Corp.'s Director of Enterprise Security and Risk Compliance, noted in an e-mail. "Cost reductions are an additional benefit that will lead to widespread adoption of enhanced security solutions."
The Secure POS Vendor Alliance, a strategy organization for major vendors including VeriFone, Ingenico and Hypercom Corp., in an e-mail response to The Green Sheet, did not dismiss the concept of standardization outright, but questioned the council's assumption that adoption of specific standards would foster innovation. "The SPVA endorses using existing standards where possible to define requirements for new technologies, rather than create new ones."
The SPVA added, "It is highly unlikely a single interoperable system will meet all" of merchants' diverse needs for post-authorization data or for the numerous types of card data entry, including attended, unattended and standalone terminals; integrated systems; POS (cash register) systems; card not present; MO/TO; and e-commerce.
Moreover, the SPVA continued, "some merchants may be willing to make system changes to accommodate payment security. Others may not be willing or able to do so. Development of a single interoperable standard will mean the lowest common denominator and will have the effect of reducing innovation in the payment card security space." The alliance predicts that an industry that conforms to a single standard will ultimately reduce competition and innovation.
However, the PPISC does not appear to be calling for a single system. Rather, it is seeking standardization on some methodologies, such as messaging formats and tokenization, which would ease communication between systems and lower the costs of certifying products made by third-party value-added resellers.
"We're not looking to squelch innovation," PPISC member Christopher Kenyon, Executive Vice President and Chief Information Officer at Elavon Global Acquiring Solutions, said in an interview. "We're saying that with interoperability, we can come up with common ground so that all the players .... can still participate in an economical fashion in the industry and not have to adopt everybody's different security solutions."
The major processors, which make up the PPISC, have all agreed that more standards are needed, particularly in encryption and messaging, Kenyon said. "We're not saying we have all the answers. We, the processors, are ... saying we have a concern." Processors and third-party value-added resellers are trying to cope with the cost of creating and certifying a multitude of security solutions brought to market "on a monthly basis."
"Keep your solution, and let's find a common denominator in how we communicate between electronic devices," Kenyon said. "We're saying why don't we get smart people together and figure out how to make this efficient [and] effective and roll it out to the masses."
However, the SPVA feels that market forces should take precedence. Standards "should be built on existing building blocks where possible, and the market should decide which implementations of those standards make the most sense for their business."
True interoperability of hardware and software can have side effects. The "downside" of the interoperable approach for many ISOs would be the churning of clients, according to industry attorney Adam Atlas.
"Anyone who wishes for this is obviously trying to make it easier for merchants to switch from one provider to another, or to add applications from one provider onto a terminal supplied by another provider," Atlas said.
Ultimately, "they, too, will find the difficulty of latching on to a merchant. Any sales organization should be trying to increase the stickiness of their offerings, rather than decrease it. I think [interoperability] would decrease the stickiness of products."
Yet the PPISC's Luvender described enhanced security as a byproduct of standardization. "The concept of 'open architecture' is really one of standardization between vendors to facilitate interoperability in the payment processing space, causing the least amount of disruption to the merchants' business as they implement enhanced security solutions."
He believes vendors would benefit from standardization because merchants could continue using their hardware regardless of the advanced security protocols utilized by the merchant.
First Data has begun to implement some standardization. Its TransArmor tokenization is designed to be interoperable. Merchants can implement it without new hardware or new back-end information technology operations, according to Luvender.
Part of the Financial Services-Information Sharing and Analysis Center, the PPISC is chaired by Robert O. Carr, Chief Executive Officer of Heartland Payment Systems Inc., which is locked in a legal battle with vendor VeriFone over a new Heartland card terminal. VeriFone has accused Heartland of infringing on a patent. VeriFone's suit and Heartland's countersuit have pitted VeriFone and its ally Chase Paymentech Solutions LLC against Heartland and vendor Hypercom.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next