The Green Sheet Online Edition
October 11, 2010 • Issue 10:10:01
Going to that process in the sky
Catchphrases often distort or give false impressions of what they are trying to describe. This seems to be the case with "cloud computing." The idea of a great big abstract cloud where wonderful technological things occur is a marketing triumph. It provides allure to a down-to-earth concept: third-party services hosted over the Internet.
In the payments industry, cloud-based processing is a little over a decade old. Processors operating payment gateways, or portals, that use the Internet as the connection hub between merchants and service providers, such as ISOs and merchant level salespeople (MLSs), are purveyors of cloud-based services.
While the concept might not be lofty, hosted payment services are becoming increasingly popular with merchants. A January 2010 survey of over 400 U.S. small to medium-sized business (SMBs) conducted by the Computing Technology Industry Association (CompTIA) said that almost 30 percent of respondents planned to implement cloud-based solutions in 2010, up 22 percent from to 2009.
And why not? By using hosted gateways that are Payment Card Industry (PCI) Data Security Standard (DSS)-compliant, merchants are unburdened from the costs and headaches of maintaining data security. The speed of the Internet for real-time updating of payments and information and the ease of use of virtual POS systems are other prominent enticements.
Bill Pittman, Chief Executive Officer at SoundPOS LLC, believes virtualization of the POS is a big opportunity for ISOs. He stated that, as merchants move toward integrated POS systems and away from stand-alone terminals, ISOs need a new solution to help them compete.
"ISOs are really getting themselves into an uncomfortable situation where the VAR [value-added reseller] dealers are playing one against the other," he said. "'Well, so and so will give me so much percentage of revenue share; you either match that or I'll go with them.' And so the ISOs are really losing control of the merchants with that model."
To regain control, ISOs can offer virtual terminals that mirror their literal POS counterparts in terms of features and functionality. But by being virtual, the process offers merchants tangible benefits over traditional POS systems, according to Pittman.
"You don't have to buy all the software," he said. "You don't have to buy as much hardware. You can use the lower cost hardware. You don't have to get the database installed. All the things that have to happen with the traditional premise-based solution from a point of sale perspective you don't have to do if you move it out to the cloud."
SoundPOS licenses its PC-based virtual terminal product to merchants solely through the ISO channel. In a Mercator Advisory Group report, Cloud Computing and Innovation at the Point-of-Sale: Toward the Cloud-Based vECR, author and Mercator Principal Analyst David Fish said that, by rolling out its virtual electronic cash register (vECR) via ISOs, SoundPOS may spark the reseller channel to evolve into a "conduit for value-added payment and merchant services technology."
According to Fish, ISOs are leaving "money on the table while offering 'free' terminals to merchants." By offering vECRs, ISOs can mitigate account control issues, channel conflicts and shrinking margins.
Grading the upgrade
The CompTIA survey said 42 percent of SMBs that took part in the study did not have formal information technology (IT) departments; instead, they relied on existing staff to manage IT issues on a part-time basis. The conclusion is that SMBs without IT departments are prime candidates for cloud-based services to bridge that daunting IT gap.
In the cloud, all IT issues are handled by the gateway, according to Baruch Goldwasser, E-commerce Subject Matter Expert at hosted business management firm NetSuite Inc. "They are handling all of the software," he said. "They're maintaining it. They're upgrading it as opposed to the old credit card terminals where you have software built onto the machines inside the merchant's location."
When a security patch needs to be installed in traditional swipe devices, someone must physically upgrade it, which could take days, Goldwasser said; in contrast, the gateway makes the updates itself, and in significantly shorter timeframes. Goldwasser gave NetSuite as an example: since it runs its services around the clock, when a fix is made to the system, it is pushed out immediately across its entire merchant network in real time.
"In the cloud you don't have something uploaded on my computer, and then at the end of the day you pass the information from my computer to the server, and then the server passes it to the marketing department and so on and so on," Goldwasser said. "Everything happens in real time. And so everybody can work with the most up-to-date information and act upon it."
Virtualizing the box
Another oft-touted benefit of cloud computing is scalability. For merchants who maintain their own servers, expanding their businesses means scaling up the capacity of their systems to handle more data, which often entails the costly addition of new hardware and software. The cloud, on the other hand, offers instant scalability - a storage capability that theoretically is just short of infinite because of its virtual nature.
This is where cloud computing enters the realm of science fiction for the technologically challenged. For Rudy Romeiro, Chief Technology Officer at payment gateway provider Redfin Network Inc., scalability goes hand in hand with the concept of virtualization.
When a customer makes a purchase via one of Redfin's e-commerce merchants, Redfin's gateway "talks" to a card processor's servers to process the payment. But that payment may be processed over a virtual server, not a physical one.
"And that's the beauty of virtualization," Romeiro said. "You can virtualize even physical boxes, as we do to a certain degree. You can have the availability of your server to multiply your servers."
Romeiro likens virtualization to time sharing. An owner of a time share in a mountain cabin does not own the physical cabin, the furnishings inside it or the land surrounding it. Instead, the "owner" rents a block of time to spend at the cabin.
"You're sharing a physical resource," Romeiro said. "You're sharing the physical asset. You are enjoying the more abstract part of the asset without all the costs of maintaining that asset.
"So a virtual server is pretty much the same thing. On a server at a data center I am sharing that server, the physical box that it is, with other people. I can have as many virtual servers as that box can handle."
Romeiro recognizes that at the base of this abstract file cabinet of virtual servers are physical servers, but that reality might undergo a paradigm shift. "You need to have a hard disk," he said. "You need to store data. But that part maybe one day will be virtualized."
Data security is, of course, the prevailing concern in the payments industry. It is no less a worry for cloud-based service providers. In the Mercator report, the question is posed: Is having more and more sensitive cardholder data processed in the cloud simply creating a "much larger honey pot" for fraudsters?
Fish answered that the ultimate responsibility for data security lies with merchants and that all of their security risks can never be fully outsourced. However, he said cloud-based payment processing alleviates some merchants' headaches by reducing their obligations for complying with the PCI DSS.
Romeiro said the problem of data security is neither exacerbated nor significantly lessened in the cloud. However, one possible advantage is the nature of the online process.
IT specialists and others must think about security because the process occurs over the Internet - the fraudster's playground. It is therefore vital that all data and communications be encrypted. "So that's one of the benefits of the virtualization of cloud computing," Romeiro said. "It forces you to be more concerned about security."
But Gary Glover, Director of Security Assessment at SecurityMetrics Inc., is skeptical about cloud security.
He advises merchants against adopting cloud-based processes that handle card data. "The technology is being pushed by cloud suppliers a bit too fast into the payment card space," he said.
Glover explained that cloud-based processing has not yet been addressed by the PCI Security Standards Council, so no defined security requirements exist for its proper implementation. Among the concerns that need to be addressed:
- Who is responsible for validating the physical security of the main cloud systems?
- Can you mix virtual systems that deal with card data with those that don't on the same cloud segment?
- Where would stored data be kept in the cloud?
- Who manages the virtual firewalls - the cloud provider or the merchant?
- Are web-based tools used by the cloud provider to manage various cloud servers secure?
- Is two-factor authentication used to manage the servers?
Scattering security seeds
One novel way to secure data in the cloud is a patent-pending process created by gateway provider PaySentinel. As described by Greg Chapman, Chairman at PaySentinel, the process involves breaking up the transaction (after it has been processed) into as many as 38 different pieces, with each piece stored in as many servers. As each piece is stored, a separate encryption key is generated.
If a fraudster should crack one key, that hacker gets access to only one piece of the transaction; without the other pieces, the information is useless.
This method of breaking up transactions into puzzle pieces and scattering the pieces across many servers is superior to end-to-end (E2E) encryption, according to Chapman. If a hacker cracks an E2E encrypted transaction, the complete card number is stolen, he said.
Chapman believes PaySentinel's process is also a hedge against the future. He estimates that in five year's time, quantum computing will hit the market.
"A quantum computer can process information much, much faster than any computer you can buy in the store today," he said. "And when that happens, we're going to have a huge issue with encryption. Current encryption is not going to be effective against a quantum computer attack."
With quantum computers, hackers will be able to break encryption ciphers instantly, he said. That's because in the quantum world, a bit of information, which normally takes the form of either a "1" or a "0", can be both a "1" and a "0." That means current encryption methods will not stand up to such a machine because a "master key" can be generated instantly, according to Chapman.
To protect against quantum computer hacks, probability calculations will need to be incorporated, he said.
"We're going to have to start doing more creative things to data like cloud-computing-style splitting up of data and incorporate probability in the mix," he added.
Becoming cloud centric
Of course, cloud computing is intimately connected with mobile payments, for merchants and consumers alike.
"The idea of being tethered to your office and not being able to leave there and not being able to do anything outside of your physical location is becoming more and more outdated," Goldwasser said. "Where the shoppers are transacting with you in multiple locations, where the merchants themselves are on the road and working from home or during their commute, they want to have the same level of access to all that information."
Other advantages are also becoming apparent. Pittman pointed out that franchise owners can run multiple locations from one database centralized in the cloud, without having to configure each store individually.
Furthermore, the cloud allows businesses to tie e-commerce storefronts to end-user mobile commerce customers, as well as backroom inventory control, all in real time, he added. Although SoundPOS launched its vECR only a few months ago, Pittman said the company already has over a dozen ISOs selling it.
"For the most part, our product has been very well received by most ISOs," Pittman said. "Many realize they need to evolve from selling commodity terminals to more advanced solutions like ours if they are going to remain in the game."
To stay competitive in a rapidly changing marketplace, ISOs and MLSs may have to think more abstractly and creatively about the solutions they sell. Perhaps turning their heads toward the cloud will provide inspiration, and more.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.