-
Lawmakers at House hearing voice excitement about evolving industry, but also express concern about security and regulatory gaps.
March 22
As traditional and emerging payment providers scrap over many aspects of the mobile payments infrastructure being built in the U.S., the top concern for consumers and industry leaders for emerging payments of all types continues to be security.
One solution out there, First Data's TransArmor, has been making headway with merchants.
Under the TransArmor service, when the consumer swipes a card at a payment terminal, his account information is immediately replaced in the merchant's system with a token number that fraudsters should find useless and end-to-end encryption is provided for the transaction.
Because the merchant is not holding on to the customer's information, it's theoretically less responsible for security, less vulnerable to a large data breach and less bound to the requirements of the Payment Card Industry Council's data security standard.
The TransArmor technology has been out for two years and is used by 230,000 merchants. It also works with some mobile payment technologies such as VeriFone's PAYware Mobile. It could be integrated with newer mobile payment technologies such as Square and PayPal's new Triangle device, although it hasn't been yet.
AJB, a Toronto-based provider of payment processing software to merchants — 20 of the top 100 North American retailers are among its clients and its software runs on 300,000 POS devices — plans to start offering First Data's TransArmor security software with its next upgrade.
"For us, this is about continuing to stay ahead of customer demands," says Pat Polillo, vice president of sales at AJB Software. "Security of cardholder data is top of mind with retailers. Since 2002, we've seen an emphasis on securing a consumer's card so it's protected at all times, be it in flight or in storage. In the past two years, we've seen an uptick in our customers looking at end-to-end encryption solutions as the silver bullet to solving their auditing and security responsibilities."
Even among retailer customers that have converted to chip-and-PIN card technology that's considered far more secure than magnetic strip cards, the need for such security is strong, he says.
Canada began converting to EMV (the Europay MasterCard Visa chip card standard) in 2008 and AJB has done more than 30 chip-and-PIN projects with Canadian retailers. "We're finding that a lot of those same retailers who three years ago migrated to chip and PIN are now coming back to us and layering end-to-end encryption and tokenization on top of that," Polillo says.
Although chip and PIN does solve a lot of problems, "for retailers, the one thing chip and PIN doesn't do is reduce retailers' cost to stay PCI compliant," he says.
"A tier-one retailer on an annual basis has to go through an audit, they have to hire an auditor to look at their infrastructure, how cardholder data is being secured, and the steps the retailer is taking to make sure they've got a secure environment. From a resourcing, time and cost perspective, all those goals are substantial."
According to the National Retail Federation, its members have collectively spent more than $1 billion so far on PCI DSS compliance as part of their business operations.
Visa has positioned chip-and-PIN as an alternative to PCI compliance.
"What Visa strategically did in the U.S. was said if you do chip and PIN and if x% of your transactions are chip-based transactions, then you don't need to do a formal PCI audit," Polillo says.
"It's a brilliant strategy. Whether it makes a difference and gets EMV into the U.S. market as fast as they hope remains to be seen."
