Commerce Bank Offers Merchants Security Help That's Gratefully Accepted

  • The payments industry is embracing point-to-point encryption and tokenization rapidly, in fact much faster than the PCI Security Standards Council can come up with rules that grant its stamp of approval on the advanced technology. Those eager for new rules argue that encrypted or tokenized networks should be subject to a much less rigorous PCI audit process in light of the nature of their security setups. "The retailers and other card accepting organizations are still subject to uneven interpretations. They don't have any clarity that if they implement point-to-point (encryption) or tokenization they will have reduced audit scope," says Avivah Litan, a vp at Gartner.

    November 1

Merchants struggle with the cost of security. But help, and an opportunity for banks, may be around the corner. More detailed testing, protocols and guidance regarding the use of new, cost-saving encryption techniques is on the way, just as the corresponding technology solutions expand and gain traction with card issuing banks.

The new payment security products are designed to reduce the scope and cost of Payment Card Security Standard (PCI DSS) compliance testing by removing sensitive consumer information as the payment process passes through other hardware or computer systems at the merchant, or travels to the issuing bank — leaving only the actual payment terminal open to PCI compliance auditing.

The cost savings would be welcome news, since the National Retail Federation says PCI compliance spending by merchants over the past coupled of years has surpassed $1 billion as merchants prepare and upgrade internal systems for yearly PCI assessments.

Commerce Bank has jumped in and is offering First Data's TransArmor data protection product to its business customers. "It's not a tough sell for us," says Steve Ruch, an svp at Commerce Bank. "Merchants are actively looking for ways to come into compliance with limited expense."

TransArmor leverages RSA's SafeProxy architecture to replace payment card data with a token number that preserves the value of the card data for merchant business operations but renders the data useless if stolen or skimmed. Tim Horton, a vp at First Data, says the token replaces the consumer's PIN as an identifier as the transaction is sent back to the merchant.

"It makes the questionnaires that merchants have to answer much shorter, as well as maintaining ongoing compliance issues and updates from PCI," Ruch says, adding the product is a "single source" solution designed for ease of use. "We're using [payment processor] First Data's platform. So there's no third party."

TransArmor is part of a growing market of providers that sell "point to point" encryption (often called "end to end" by tech marketers). Point to point encryption, combined with the use of tokens to replace real identifying data, is becoming an increasingly popular way for financial institutions to offer payments security to merchants, lowering PCI compliance costs and providing a way for retailers to retain consumer data internally for future marketing purposes. Bank of America has also deployed TransArmor, and large processors such as Heartland and Fifth Third have also developed point to point encryption and tokenization systems. "People are finally standing up and taking notice on encryption and tokenization," Ruch says.

What has dogged the market is the question of whether point to point encryption and tokenization actually reduces PCI scope.

For most of the past year, scope reduction tied to point to point encryption and tokenization was uncertain, mostly because of the lack of standards among providers.

But in September the council released a new document that says point to point encryption may assist merchants in reducing the scope of their cardholder data environment and annual PCI DSS assessments. The council also plans to launch a set of validation requirements for point to point encryption that will guide merchants in their hope to reduce scope. PCI has also released validation requirements for hardware-based encryption and decryption solutions. Training to familiarize assessors with the program is targeted for early 2012.

Horton says First Data sits on he board of advisors for PCI, and is ensuring its system is in compliance with new guidance.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER