Processor Breaches May Prompt Shifts in Liability, Security Tech

After any major data breach, the payments industry is ripe for a change in behavior. In the wake of the news of Global Payments' (GPN) breach last month, some are asking processors to tighten security and accept more risk.

The Payment Card Industry data security standard affects any entity that handles card data (including banks), but the card networks have focused most of their enforcement efforts on merchants — a group that has not been entirely welcoming of the security burden.

"The merchant who is barely making a living will turn around and say, 'thanks for telling me about PCI, but there is no return on investment for me,' " says Suni Munshani, CEO of Protegrity USA. Those merchants seek ways around PCI compliance, he adds.

Because of the news about the Global Payments breach, among other factors, Munshani says the payments industry is prepared to "transfer the risk up the food chain" as processors accept more risk responsibility and keep data away from merchants.

Protegrity sells tokenization software, which keeps card data off merchants' payment systems by providing tokens, or a set of symbols that represent the card data, after card authorizations.

Card processors and acquirers are considering this technology, and many already provide it, says Adil Moussa, a senior analyst at Aite Group, a Boston-based consulting and research company.

"Some are giving tokenization away as part of the service; others see it as a source of revenue," Moussa says.

Similarly, Heartland Payment Systems (HPY) began promoting encryption (and began selling its own encryption service) after it suffered a major data breach in 2008.

When the United States shifts to EMV smart card and Near Field Communication technology, merchants will enjoy a liability shift anyway, Moussa says. "Expecting someone to offer tokenization and take the hit for any risk involved has a certain level of marketing spin to it," he adds.

Read the full article on PaymentsSource.