Elavon recently adapting technology from Voltage and Semtek as part of an end-to-end encryption play. Christopher Kenyon, evp and CIO for the global payments processing subsidiary of U.S. Bancorp-recently discussed sharing of security info among processors and security interoperability.
BTN: How have the breaches and other incidents that have hit the payments processing industry impacted the entire market?
Kenyon: We've always focused on security. But it was a rude awakening for many of us when the [Heartland] breach took place. So we went back and looked at our security with a focus on ensuring that our protections are solid.
Are payments processors a prime target for Internet crooks?
There's a world of people who want to try and hack into any business of value, whether it's a large retailer, a financial institution or a credit card processor. Any place where crooks think they can find value, they're going to go after it. We're all targets.
What is your involvement in the Information Sharing Council, and how does it contribute to your focus on improving security information?
We sit on the steering committee of a group whose membership is made up of almost every large processor in the country sharing information on security and threats to protect ourselves. Who better to protect an industry than the players in that industry? Except for confidential information, there's good flow of information back and forth.
What is the balance between shared information and information that's retained?
We don't talk about customers or information connected to the customers. There are currently about a dozen different projects underway, dealing with topics such as data loss protection and various security controls. We have firms of various sizes in the group, and we all have something that can help the other. There's information that one firm might have that others may not.
Are firms more open to sharing information than in the past?
There's a heightened awareness of the threat across the industry that serves to make all of us in the industry stronger. The industry as a whole is working to protect itself and the sharing council is one method. There are many different solutions that have been presented in the past year to 18 months. encryption and tokenization are among the tools that are popping out of the industry. The industry is starting to take care of itself in terms of [securing the payment] process.
Do you think the Information Sharing Council has reduced the threat of hacking of payment processors?
It would be difficult to quantify and point to the Council as the true cause of any reductions in hacking. However, it's safe to say that sharing information among payment industry leaders who are united on the mission to reduce and stop security breach attempts is a plus no matter how you measure it.
How is "format preserving" encryption helpful in terms of driving adoption of the technology, and in the effectiveness of the solutions?
Format-preserving encryption preserves the original format of card data, which means that point-of-sale (POS) systems do not need to be modified to accept and pass the data along for processing. Many POS systems' software would need to be modified if instead of receiving "typical" card data to populate transaction fields, they needed to receive a much longer string of characters.
Are you concerned about the lack of interoperability among different tokenization and encryption solutions being deployed by different payments and processing firms?
They should have more interoperability, and it's something that the membership [has discussed]. What we've seen is a bunch of companies come out with their own flavor of security tool sets that are making a difference in protecting the industry, that are providing another layer of protection. And with that mindset [the membership and industry] will work toward some consolidation [of protective measures] over time. The processors want interoperability to happen sooner rather than later, because we currently have to support all types of solutions. But the big picture is that it's a good thing that we're starting to see these encryption and tokenization solutions come out.
What is your position on the further adoption of EMV (the payment security standard that's widely used in Europe), particularly in the United States?
We're constantly looking at it. It's not proven to provide the overwhelming value that some people think is there. The cost of deployment is staggering. Will it happen? It will happen at some point. This is a classic case of chicken-and-egg: issuers aren't ready to issue more expensive plastics until the cards can be read at a majority of checkouts, and merchants aren't willing to purchase more expensive chip-enabled terminals until a critical mass of chip-enabled cards are in the market. Payment terminals have to be reengineered to read these cards, and everybody's system has to change. It's a large undertaking. If you look at some of the other places, such as the European Union and Canada, millions of dollars have been spent [on converting systems to accommodate EMV standards], and we've not seen the difference that was expected.