A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

April 12, 2021 • Issue 21:04:01

Hardware-grade security for digital commerce - Part 1

By Dale S. Laszig

Hardware remains integral to electronic transactions but is no longer the face of payments. Consumers aren't always marching single file to checkout stations to perform practiced routines. Hardware-dominant systems are acquiescing to softer payment methods. Commerce is becoming more nuanced, more of a dance than a march, with the consumer, not the device at center stage.

As hardware moves from a leading to supporting role in payments, how will solution providers bring the same level of machine-driven PIN entry and point-to-point encryption (P2PE) security to the digital world of online, mobile and in-app commerce? In this series, payments leaders discuss how advanced technologies are bridging the gap between physical and digital security.

Hardware's digital journey

Hardware's digital journey began with unplugged devices that used batteries instead of AC plugs and sockets and cellular networks instead of phone lines. It continued with portable Wi-Fi-enabled products and virtual terminals on computer screens that were pixelated renderings of countertop devices. Payments industry veterans who worked with these early models occasionally reminisce about transporting equipment, looking for cellular and Wi-Fi hotspots, and recharging batteries.

Ferne Glemby, president at CardPlus Empower LLC, described setting up a mobile terminal in a theater lobby in 1999. The hefty Hypercom T77 terminal with car battery on a rolling cart was among the few options for processing ticket sales during high-traffic ballet season, she recalled.

"We pieced together mobile terminals, car batteries and manual imprinters that we used to call knuckle-busters," Glemby said. "I felt like I was back in the 1990s when I recently showed a merchant how to use a knuckle-buster."

Invisible yet inviolable

As POS devices and payments became more elegant and invisible, POS manufacturers and technology providers continued to certify and power next-generation commerce solutions. Hardware slowly faded from the center of the customer experience while inconspicuously operating behind the scenes to enable mobile and digital commerce.

Bluefin, a technology provider known for patented P2PE and tokenization solutions, expanded its hardware capabilities and reach to digital commerce channels with ShieldConex. The solution, a 2021 FinTech Breakthrough award winner for Best Financial Transaction Security Platform, brings hardware-based encryption and vaultless tokenization to ecommerce.

James Johnson, managing director at FinTech Breakthrough, commended Bluefin for prioritizing consumer protection at a time of viral ecommerce growth. “Sensitive payment information like credit card numbers [is] entered through online forms and websites in growing numbers each day and most organizations have not updated their payment transaction security approach along with this growth,” he said. “Bluefin’s vaultless tokenization tool, ShieldConex, brings much-needed ease and security to the payment space by helping organizations reduce the scope of work and costs associated with maintaining regulatory compliance."

Mobile, ecommerce growth

As Johnson noted, migration from dumb devices to ecommerce and mobile apps kicked into high gear during the COVID-19 pandemic when business closures pushed consumers to mobile and digital commerce channels. Consumers who had already used in-app and online shopping doubled down while others transacted online for the first time, according to recent reports, including a study by RetailX and ACI Worldwide titled USA 2020 Ecommerce Country Report.

Researchers expect ecommerce growth of 18 percent per year to continue beyond the pandemic. "Around a quarter of all consumers say they now prefer online shopping," RetailX researchers wrote. "This is a number that will grow as the ongoing effects of the coronavirus pandemic continue to boost ecommerce by exposing more first-time online shoppers to the joys of ecommerce. Despite its maturity as a market, around 10 percent of adults aged 18-64 have experienced online commerce for the first time only due to the effects of Covid-19."

RetailX hosted a March 2021 webinar to discuss survey data. Moderator Ludovica Quaglieri interviewed ACI Worldwide executives Kieran Mongey, solution consulting merchant retail, and Dan Coates, solution evangelist. During the discussion, Coates mentioned that consumers are bringing their own devices to stores in a model he described as blended commerce, which combines in-app and in-store shopping to improve the customer experience.

Blended commerce

Coates went on to say that blended commerce enables consumers to limit time spent in stores by ordering ahead, pinpointing exact locations of store items and checking out on their own devices, all without touching the store's POS. He added that store apps use artificial intelligence to anticipate when consumers need to replenish items. "We worry sometimes about AI being evil, but we also want a personalized experience," he said. "The AI's assistance ensures that we order the things that we need."

Ruston Miles, founder and advisor at Bluefin, agreed, stating that he expects safety and security to remain top of mind for retailers following the pandemic. "I think merchants will have some work to do around safety for these consumers coming out of the pandemic, and that will drive omnichannel commerce through the roof," he said. "People are going to want to do in-app purchases so they can touch their devices and not your kiosk or your credit card machine."

Miles further noted that blended commerce will flip the script by assigning card-not-present (CNP) interchange rates to some card-present transactions. Consumers who are present in the store will make CNP transactions on their devices; card brands will have to catch up with that too, from a pricing perspective, he stated. There's a lot of work to be done to make transactions safe, secure and convenient, which creates lots of opportunities for ISOs, agents and processors, he added.

Expanding protection

Miles pointed out that hackers are not just exploiting payment card information (PCI), they are also going after personally identifiable information and personal health information. In response, service providers that had been encrypting and tokenizing PCI to make card data useless for hackers, sought to leverage protections developed by the PCI Security Standards Council (PCI SSC) to safeguard other types of data.

"The PCI SSC brought that technology to the payments industry first, and the industry soon saw a need to extend those protections beyond just payments," Miles said. "Privacy laws are driving that from the East and the West, from California and Virginia and giving us a lot of tailwinds."

Troy Leach, senior vice president, engagement officer for market intelligence and stakeholder engagement at the PCI SSC, noted that technology always changes but the council remains focused on developing security standards merchants can trust. To this end, Leach "collaborates with the payments industry to help identify payment security risk and develop comprehensive strategies to secure payment data and the supporting technology."

Commercial off-the-shelf devices

As part of its efforts to expand secure payments acceptance, the PCI SSC published new security standards in 2019: Software-based PIN entry on Contactless Solutions (SPoC) and Contactless Payments on Contactless Solutions (CPoC). The difference between the two contactless standards is that SPoC pertains to PIN entry and CPoC uses near-field communication technology without PIN entry on any commercial off-the-shelf device, Leach stated.

Justin Pike is founder and chairman of MYPINPAD, a global provider of secure personal authentication solutions for commercially available smartphones and tablets. The company's Android software based CPoC solution was PCI CPoC certified in July 2020, a global first, and from Pike's perspective, a game-changer for online payments.

"By shifting payments from a fixed piece of hardware, which in many retail situations causes a bottleneck, to a mobile device like a smartphone or tablet, you then open up a world of new possibilities for the merchant to innovate within their end-to-end customer experience," Pike said. "And therefore, these experiences can be driven even more by what the consumer wants and by meeting their individual needs."

Extending market reach

Having worked for years with enterprise clients, MYPINPAD and Bluefin both offer subscription service models to small and midsize enterprise (SME) clients. Enterprises and banks integrate MYPINPAD into their mobile apps, Pike noted. Consumers and card issuers use MYPINPAD for secure PIN management inside mobile apps. The company offers a fixed per-transaction model to SMEs, which is delivered as a service, he added.

"Business customers use the app for payment acceptance," Pike said. "And for the first time ever, consumers can manage their own PIN inside their mobile apps in a compliant manner; for example, a consumer can change the PIN on their payment card without having to visit an ATM or branch. Furthermore, the solution also enables seamless onboarding to the mobile banking app, removing the need [for card issuers] to send one-time PINs in the post."

Miles noted that with Bluefin's SaaS model merchants are not paying rental and storage fees for encrypted data they may never use. "In addition to being more economically and commercially feasible, it's leveraging the same encryption technology," he said. "That's why it's called vaultless tokenization, but it's really encryption as a service." end of article

Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content strategist. She can be reached at dale@dsldirectllc.com and on Twitter at @DSLdirect.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing