GS Logo
The Green Sheet, Inc

Please Login

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Light alleviating a dark decline

News

Industry Update

Legislative outlook: Interchange bills less likely than ID fraud rules

First Data's composite security system - a game changer?

TSYS, FNBO enter joint venture

Trade Association News

Features

GS Advisory Board:
Positive economic signs and actions - Part 1

Online banking in Canada:
What happens next?

Joseph Iuso
UseMyServices Inc.

Research Rundown

Selling Prepaid

Prepaid in brief

Win-win scenarios abound at Prepaid Expo

Views

Are banks losing grip on payments?

Patti Murphy
The Takoma Group

Dial or smile

Justin Milmeister
Elite Merchant Solutions

Payments industry issues:
First quarter 2010

Brandes Elitch
CrossCheck Inc.

Education

Street SmartsSM:
Parting thoughts for readers

Jon Perry and Vanessa Lang
Merchant Services Inc., Texas

Police warn of new skimming devices

Nicholas Cucci
Network Merchants Inc.

Ripples on the mobile Web

Dale S. Laszig
Castles Technology Co. Ltd.

Digging into PCI - Part 9:
Restrict physical access to cardholder data

Tim Cranny
Panoptic Security Inc.

Company Profile

Retail Decisions Inc.

New Products

A mobile payments bundle

MerchantWARE Mobile
Company: Merchant Warehouse

Statistical analysis of prepaid

The Stats Tool
Company: Stanton Consultancy Ltd.

Inspiration

Unleash the power of networking

Departments

Forum

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

March 22, 2010  •  Issue 10:03:02

previous next

First Data's composite security system - a game changer?

Processing giant First Data Corp. recently launched a pilot security program to guard merchant POS systems, and the company hopes it will become a benchmark in the fight against data theft.

The pilot program, which will be tried on about 400 merchants over the next four months, uses a multipronged security architecture that combines "asymmetric" encryption with tokenization. The program was developed through a partnership with EMC Corp., which owns the RSA SafeProxy architecture First Data is deploying. Under the First Data program, the security architecture has been rebranded TransArmorSM.

According to Craig Tieken, Vice President of Product at First Data, the program will run through July 2010; the company plans to launch the product publically thereafter. He said the goal is to have around 100,000 merchants linked to the TransArmor system by the end of 2010. He added that it is aimed at merchants of all sizes.

"You're starting to see increased sophistication of cyber crime that's no longer just targeted at the big guys; it's moving down market," Tieken said.

"So as big guys harden up their systems, [cyber criminals] are going down low, and our market research shows that although there's quite a bit of education to be done with the merchant community, awareness is growing rapidly."

For merchants with modern terminals, the product can be implemented with a simple computer download, Tieken said. He noted that its implementation would both fortify merchant environments and, through tokenization, dramatically simplify the Payment Card Industry (PCI) Data Security Standard (DSS) compliance process by relieving merchants of sensitive data storage.

"There's the part of your system capturing card data and then encrypting it; that's what's left within the scope of your PCI [compliance burden]," he said. "The rest of it is no longer touching card data. When I'm not storing card data at all and I'm encrypting card data when it's in motion ... it becomes much easier to answer those [PCI] questions, and a lot can be prepopulated as a standard response."

Extra-strong encryption

According to Tieken, TransArmor's front-end is strengthened beyond standard encryption schemes through a divided, asymmetric encryption method. Data is encrypted within the merchant's terminal but can only be decrypted by First Data at the processing end. Thus, thieves who penetrate a merchant's POS system theoretically have no way to view the raw data therein. Even if they crack the encryption scheme, they can't use that formula for decryption.

"It's a method of doing encryption in which you have a key pair that's split apart," Tieken said. "The public key is given to the merchant. That's the component that does the encryption at the merchant location but can't decrypt. So they send [First Data] this encrypted block of data, and we have the corresponding second key in our data center. So even if someone got a hold of the key from the merchant they can't do anything with it."

Tieken added that encrypted payment data is decrypted by First Data and returned to the merchant in the form of a token - a random set of numbers that allows the merchant to conduct chargebacks, recurring billing and other post-transaction functions without handling sensitive card data. The token retains the last four digits of the original card number so that customers can identify their cards on receipts.

Extra security layer with recurring billing

Furthermore, under the TransArmor solution, a consumer who uses recurring billing is represented by a unique identification number separate from the token returned to the merchant. If continuous payments were made with the original token, Tieken said, a stolen token could be used just like a credit card number in a recurring billing scenario.

"In the card-not-present recurring base, what we have is a class of the token that actually represents me and the biller to First Data differently than the token that is sent back for purposes of [merchant] reporting and getting paid," he said. "So I actually have a consumer ID that represents me to [for example] my electric company for purposes of recurring billing.

"If I just took my financial token used for reporting and chargeback exception items and said, 'Take that token and submit a new transaction,' then I can start to launder those things, and I've done nothing but replace one card number with another card number."

Major step forward

Theodore Svoronos, Certified E-Commerce Consultant with Group ISO Inc., said First Data's program marks a significant step forward in the payment business's longstanding fraud fight. The technology being used isn't anything new, but the deployment of a composite token/encryption security product on the scale intended by First Data would be groundbreaking, he said.

"All these security products have been around since 2000, 2001 - all these bits and pieces," Svoronos said. "The problem we've been having in this industry is the attrition rate, the low adoption rate, customer drop off and sales going down because [merchants] don't get it. ... By First Data adopting this, they are becoming a leader in this space. They have the wherewithal and financials and ability to do it, and they can cherry pick the best of the best and put it together, and RSA is phenomenal.

"PCI is a wonderful situation and well-needed, but to some point it's still reactionary. I believe in a proactive approach, and this approach First Data is trying is a proactive approach. And those [merchants] that do decide to jump on board this train before it leaves the station will realize the value down the road."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services