The San Jose terminal maker VeriFone Holdings Inc. has developed a system that can encrypt payment data when cards are presented to a merchant, filling a potential security gap.
VeriFone said Wednesday its VeriShield Protect system incorporates the encryption function into card readers. Merchants encrypt data before forwarding it to their acquirers, but usually not this early in the process, and Jeff Wakefield, the vice president of marketing for VeriFone's integrated systems unit, said in an interview that there is a window for criminals to access the data.
By encrypting data as soon as it is captured, and keeping it encrypted until it is sent to an acquirer or processor, retailers would not have any data that would be useful to criminals, he said.
VeriFone said the system goes beyond what is required by the Payment Card Industry security standards, which govern how merchants use and safeguard information.
"The problem is PCI is a whole set of things to try to protect your enterprise, to try to lock it down, but it's a very complex environment in the retail arena with hundreds of store locations, thousands of devices, networks, and employees," Mr. Wakefield said. "The reality may be that trying to lock down this environment 24/7 may not be achievable."
Since VeriShield Protect uses the encryption hardware built into point of sale terminals, there is no separately stored encryption key to worry about losing or exposing, he said. Savvy fraudsters may still be able to steal the data, but VeriFone's system makes it substantially harder for them to read, he said.
The system also encrypts the information in such a way that it can travel along the same data pipes as unencrypted information, so merchants can use their current equipment to move the data.
VeriFone has added the Veri-Shield Protect system to its MX800 terminals and plans to incorporate the system into its Vx Solutions products this year.
Mr. Wakefield said using terminals with encryption capabilities would let a merchant spot an unauthorized payment on its network immediately, such as a breach last year at Stop and Shop Supermarket Cos. in which scammers replaced card readers with devices they controlled.
In such a case, "at the very first transaction we would recognize" that the unauthorized terminal lacks the proper encryption capabilities and the correct device identification number, he said.
VeriFone has signed up two customers for VeriShield Protect and expects to name one this week. It also says is in talks with two other customers. The system uses encryption technology from Semtek Innovative Solutions Corp.
VeriShield Protect is being offered only to large merchants, though VeriFone is working on a version that would work with small businesses. That version would require the acquirer's cooperation, Mr. Wakefield said.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said VeriFone's approach has merit.
"This solution is a really good solution, because it encrypts the data before it even gets in the system," she said. "The downside is you've got to be a VeriFone customer. If someone doesn't have VeriFone terminals, they have to change everything." However "this is a good investment" for those who have the terminals or can afford to switch.
"If data is encrypted before it enters the retailer system, as Veri-Shield is designed to do, then a thief can only steal the data if he has access to the decryption keys," Ms. Litan said. The setup could prevent some breaches, since criminals will not be able "to see the data in transit."
