-
It's a common story: a merchant suffers a payment data breach, the merchant's acquirer gets fined, and the acquirer passes along the fine to the merchant. Usually, life goes on. But an ongoing lawsuit against a Utah restaurant could shake things up for banks.
February 21
When something is amiss at a location relying on tight security, officials often immediately implement a lockdown. Imagine the same scenario on a merchant's payments system, and one can start to understand how PaySecure software works.
PaySecure addresses card data security in a retail market where payments network technology has expanded much faster than most merchants can grasp, says Alan Stephenson-Brown, director of U.K. operations at Phoenix Managed Networks of Reston, Va.
"As technology expanded, many merchants went from a dial-in network to broadband, and there are [Payment Card Industry] data security issues that come with that, whether the payment system is personal computer-based or through Wi-Fi," Stephenson-Brown says.
Phoenix often finds merchants unaware that payments data moves through or is stored on "low-security networks" at their businesses, Stephenson-Brown says.
"Banks and processors have to educate merchants, as things move quickly from stand-alone systems to broadband, and we believe that makes it a good time to integrate security software," he says.
Phoenix, a payments network services provider, and Mako Networks Ltd., a provider of cloud-based network management systems, on Feb. 29 announced an agreement to provide PaySecure to acquirers and processors.
Constant updates to PCI standards along with technology developments can cause retail merchants to fall behind in payments network security, says Scott Strumello of Auriemma Consulting Group.
"It hasn't reached an overall dangerous level in terms of retailers not being aware, because the retail landscape is so diverse, and some businesses are on top of security technology and others are not," Strumello says.
"PaySecure fills a real need for those who have a hard time staying ahead on security technology," Strumello says. "If I were running Joe's Deli, I may find it very challenging to understand data security technology, and Phoenix and Mako are providing what almost amounts to a plug-and-play service that is really helpful."
PaySecure simplifies the important elements of PCI compliance by using a preconfigured template for merchants to follow and monitor for enforcement and firewall and security protocols that can sense intruders, says Chris Nation, Mako's commercial manager for Europe.
Besides protecting data by ensuring encryption from the payments terminal until the information leaves the network for authorization, PaySecure automatically locks down the system firewall/router if an unauthorized person attempts to enter or change system parameters, Nation says.
Provided by Mako, the firewall/router protects the payments system from online attacks by creating a barrier between card data and the merchant's nonpayment systems in accordance with PCI data security standards, Nation says. In addition, PaySecure allows the merchant to direct payments data only to a trusted host or payments gateway, he says.
Because Phoenix authenticates each payments terminal for each individual merchant site, if a hacker tries to introduce a fake terminal into the system, PaySecure locks down and blocks the connection, Nation says.
PaySecure alerts the merchant and payments gateway provider with messages to authorized computers as soon as the software spots a nonapproved device in the system. Because PaySecure is cloud based, Mako provides any needed terminal adjustments electronically in a matter of minutes, and merchants are not required to complete any new configuration at their site, Nation says.
Too many merchants believe that once their systems have established PCI compliance, they can forget about PCI standards, Nation says. However, merchants should continually monitor and enforce security, especially when converting to broadband systems that hold much more data, he says.
"PaySecure addresses a majority of the questions asked by qualified security assessors in PCI compliance testing, especially related to compliance at the various portals within a payments system," Nation says.
Because most merchants have a contract with their payments processor to protect stored data, the PaySecure software only protects transaction data in route, not in storage, Stephenson-Brown says.
"PaySecure would work well for all levels of merchants or banks, but it is mostly designed for brick-and-mortar retail," Stephenson-Brown says.
Phoenix and Mako will offer PaySecure to acquirers and processors through direct sales channels or independent sales organizations, charging a flat monthly fee for the service based on the number of terminals at the merchant site.
Stephenson-Brown says that Phoenix and Mako are not pitching PaySecure "as a way to make PCI data security compliance go away." Rather, PaySecure properly secures a network and provides a much lower risk factor, he says.
Mako provides the firewall/router, broadband connection and other hardware as needed, but PaySecure also can operate on other cable service providers' broadband networks, Nation says.
The companies did not disclose financial details of the partnership, saying only that it was "a multimillion-dollar agreement."
