The expanding array of services offering merchants advanced encryption of sensitive payment card data is causing competition to heat up among purveyors already jockeying for dominance by touting each product's specific advantages.
Such major processors as Heartland Payments Systems Inc., First Data Corp., and WorldPay U.S. Inc. are well along in rolling out versions of their advanced payment-encryption technology, primarily to small and midsize merchants. Fifth Third Processing Solutions LLC, Chase Paymentech and others are poised to do so in the next several months.
More providers likely will join what observers say will be a major movement within the next couple of years among merchants to adopt advanced data-encryption services to protect against breaches and potentially reduce their costs associated with Payment Card Industry data- and application-security compliance.
Processors so far have led the sales push, mostly marketing advanced data-encryption products as add-on services to smaller merchants. But ISOs are on the verge of getting into the act on a broad scale, primarily reselling the services directly to merchants, various service providers say.
Promoting advanced data-encryption services could open fresh business opportunities for ISOs, observers say. However, the services may be more complex and potentially require more agent education on the new technology and more time to complete the sales process. The revenue potential for ISOs of selling advanced data-encryption services also is not yet clear, as prices and packages of products are not yet widely available.
As it evolves, the competitive battle for advanced data-encryption services is centering on the quality and type of security surrounding payment card data entry at the point of sale, the expense and hassles involved in switching payment terminals to incorporate the new data-security features, and the degree to which adding such systems will save merchants money by beefing up data protection.
"The groundwork of building the foundation and technology of point-to-point encryption technology has mostly been done, and within the next few months we will see it begin to take off in a major way as the business case for adding data encryption builds," Drew Soinski, vice president of payments at Voltage Security Inc., whose SecureData encryption service forms the backbone of several new services. Voltage says it has partnerships with Heartland, Fifth Third, US Bancorp's Elavon Inc. and Merchant Link LLC, among others.
VeriFone Systems Inc. provides security technology that WorldPay and other processors are using. VeriFone in October announced a partnership with RSA to market a point-to-point advanced data-encryption service called VeriShield Total Protect.
Processors and ISOs likely will take a variety of approaches to marketing advanced data-encryption services, Soinski says.
"Within the next couple of months we'll see a lot more activity from ISOs that will resell advanced encryption services, or include it in new packages or even give it away, depending on their programs," Soinski notes, adding it is still "very early" in that cycle to determine which strategies will prove most effective.
Most of the services in demand share core features, particularly the ability to protect sensitive cardholder data while the information is in transit from the point of sale to the processor. The services encrypt transaction data so the information is indecipherable to hackers who might intercept it as it travels along the payment-processing chain before arriving at the processor, where it is decrypted. This service is usually separate from tokenization systems that protect card data merchants store within their facilities, although the services sometimes are sold in combination.
Tamper-Proof Modules
Heartland since last year has been selling its E3-branded advanced data-encryption product, which requires a proprietary payment terminal, through its 1,100-member direct sales force, Steve Elefant, Heartland's chief information officer, tells ISO&Agent. So far, the firm has closed deals with more than 11,000 mostly smaller merchants, and restaurant and hospitality channels have yielded the strongest early interest, he notes. Heartland says it processes transactions for more than 250,000 merchant locations.
Midsize and multilane merchants also are joining the movement. WorldPay in January announced the deployment of its advanced data-encryption service with a multilane merchant, Independence, Mo.-based supermarket chain Price Chopper (see sidebar on page 44).
First Data's sales force in September began promoting its TransArmor advanced data-security encryption service that protects cardholder data through software that can be installed on PC-based POS systems with "little to no investment in new or upgraded hardware."
So far, First Data has sold 125,000 mostly smaller merchants its software-based data-encryption service, Tim Horton, the processor's vice president of merchant product management, tells ISO&Agent. But the company plans later this year to begin offering merchants an edition of TransArmor with VeriFone's VeriShield hardware-based encryption, he says.
As two of the first major providers to hit the market with advanced data-encryption services, Heartland and WorldPay are capitalizing on the fact that their services include a tamper-proof, hardware-based security module that experts say is the Holy Grail in achieving cost savings. They say the module, which is designed to prevent crooks that tamper with the payment terminal from intercepting any useful cardholder data from previous transactions, eliminates the need for certain expensive PCI data-security compliance procedures and guarantees against data breaches.
Software Versus Hardware
The hardware-security module is important because it is fulfills one of the hallmarks of secure point-to-point data-encryption systems, which is the need for a totally secure pathway for card data entering the payment terminal and cash register before the information is routed to the acquirer and processor, Jose Diaz, director of technical and strategic business development for Weston, Fla.-based data-security firm Thales e-Security Inc., a unit of France-based Thales Group, tells ISO&Agent.
That extra layer of security at the point of sale usually requires installation of a new payment terminal, Diaz says. Thales provides the security technology within hardware security modules processor Heartland and others use in their data centers for advanced data-encryption services. Other companies, such as Scottsdale, Ariz.-based Hypercom Corp., also sell hardware security modules.
The advantage to the merchant in using a hardware security module at the point of sale is that "the cardholder information is never in the clear within (the merchant's) environment and, therefore, it will (protect all cardholder data from breaches) and reduce the scope of a PCI-DSS audit," Diaz says.
However, some processors, including First Data, provide merchants with a software-based data-encryption service that provides certain layers of data protection at the point of sale without the need to replace terminals, Diaz says.
For example, a software-based security module may suffice as a short-term approach for credit card-only environments, where unencrypted payment card data pass from a magnetic stripe card reader to a cash register before the information is encrypted and sent to the payment processor, Diaz says.
Such a setup is acceptable in some scenarios and may better serve merchants that may need access to some of the unencrypted card information for loyalty programs or fleet card management, for example, Diaz says. But it is not the ideal approach, and "compensating controls" would be required to mitigate the risk of data compromise if payment card data are not encrypted before reaching the cash register, he says.
In cases where sensitive cardholder data are not protected using secure cryptographic devices before reaching the cash register, it is unlikely merchants can avoid any PCI data-security requirements, Diaz adds.
Certain Relief
A software-based advanced data-encryption approach provides many of the same advantages as a hardware security module, First Data's Horton contends, noting it requires minimal implementation and training. A "large number" of First Data customers have "experienced relief from the resources and costs" associated with PCI compliance using its software-based module, he says.
But the hardware security module approach likely will become the standard in most merchant settings operating with advanced data encryption, especially for merchants seeking certain relief from PCI- compliance requirements, Diaz suggests. It will be a gradual process for merchants to upgrade payment terminals, he notes.
Heartland so far is seeing "solid demand" from merchants for its E3 advanced data-encryption service, sold as an add on to basic processing, Elefant says.
Heartland offers merchants a warranty in which it promises to pay the cost of any merchant data-breaches that occur using its service. Heartland's warranty is unusual and "a big selling point" for the product, Elefant says.
"We tell merchants that if they use E3 and there's a data breach, we will pay any fines or fees," he says, noting the warranty terms are "very straightforward and simple."
Heartland began by selling the service only through its proprietary payment terminals. But the processor is licensing the E3 service, so it could be sold through other processors and terminal makers later this year, Elefant says.
WorldPay also is getting brisk interest in its advanced data-encryption service that uses VeriFone's VeriShield as its core security technology, says Ian Drysdale, WorldPay senior vice president, product and business development.
Terminal Replacement
The firm is targeting merchants of all sizes, both through its direct sales force of 300 and the dozens of ISOs that resell its products. WorldPay's advanced data-encryption service is available using a variety of VeriFone's payment terminals.
The pain for merchants of replacing payment terminals varies. In some cases, merchants are ripe for a terminal upgrade, but in other cases they balk at shelling out funds on costly new terminals to gain security, Drysdale says.
"A key advantage we offer is the fact that a merchant can choose from a variety of types of VeriFone terminals, so they are not tied to a specific piece of hardware," he says.
Terminal-replacement costs are not a deal-breaker for many merchants weighing their options, Heartland's Elefant contends. "New devices designed for fully secure advanced data-encryption services are not prohibitively expensive, especially when compared with the hundreds of thousands of dollars in costs merchants might rack up in a data breach," he adds.
Heartland's E3 terminal price starts at $85, Elefant says. The advanced data-encryption service cost varies, based on the size and scope of the merchant.
Merchants must also weigh the upfront costs of replacing terminals against the potential long-term cost savings from data-breach liabilities and from reducing the costs and scope of future PCI data-security compliance efforts, Voltage Security's Soinski says.
Merchant data-security audits that technology-auditing firm Coalfire Systems Inc. has conducted for Voltage show that merchants whose advanced data-encryption technology incorporates its technology have reduced the overall cost of PCI data-security compliance efforts buy as much as 79%, Soinski notes.
The cost savings such POS hardware security modules provide merchants can be significant because they eliminate the need for merchants to verify their virus scanning, intrusion detection, firewalls, network management and card protection, he says.
Besides cutting the general costs of PCI data-security standards compliance, adding advanced data-encryption services can eliminate "at least $15,000 to $25,000 alone to hire an auditor" to certify payment software under the PCI payment application data-security standard, Heartland's Elefant says.
The payment application data security standard typically applies to vendors of payment- software applications, such as those a merchant incorporates into its systems for handling customer refunds.
A nagging concern for some merchants considering adopting advanced data-encryption services is the lack of consistent standards, which "makes interoperability and implementations difficult, as well as potentially ending up with (outcomes) that may not include (the latest) standards," Thales' Diaz says.
Elefant contends the current lack of solid standards will not pose problems for merchants that already have adopted advanced data encryption.
"There is a common misperception that standards are the same as interoperability, and that is not the case," he says. "The standards are evolving as we go along, and we are very active in discussions with the bodies putting them together. So far, the standards proposed would embrace what we are doing with E3 what rivals (such as VeriFone) are doing with their services."
Smaller merchants are in the first wave of those adopting advanced data-encryption services, but different challenges face large merchants because of the broad scale of overhaul and time required when large merchants adopt them.
Installing advanced data-encryption systems for larger merchants can take many months because of the need to make them interoperable with more-complex back-end systems, says Mark Bower, Voltage vice president of product management.
"When we sit down with a Level 1 merchant to bring in advanced data encryption, we have to discuss broad system architecture and do a full roadmap of how it will work on multiple levels," Bower says.
It is early in the process, but purveyors of advanced data-encryption services are revving up sales channels and plan to market their products by touting their technical advantages and guarantees. The next year is likely see a variety of new providers rolling out additional services, with competition shifting to pricing and promotions that have yet to take shape.
Encryption Service To Save SuperMarket Money, Owner Says
WorldPay U.S. Inc., which incorporates VeriFone Systems Inc.'s VeriShield into its advanced data-encryption service, has made significant progress wooing merchants to adopt a tamper-proof hardware module to prevent crooks from intercepting sensitive cardholder data from terminals at the point of sale.
Small merchants initially adopted the system's hardware security module, but the service is suitable for merchants of any size, according to WorldPay.
Price Chopper, a nine-unit supermarket chain owned by Independence, Mo.-based McKeever's Enterprises, installed WorldPay's advanced card-data encryption service in three of its multilane outlets this year. It plans to roll out the service in its six other stores within the next few months, Tim Cosens, the firm's director of information technology, tells ISO&Agent.
The company would not disclose the cost of adding advanced data-encryption to its payment processes. However, the investment was timely because the company already had planned to upgrade to new payment terminals, Cosens says.
Price Chopper also weighed the cost to upgrade to new terminals and the encryption process against facing potential fines and penalties from the credit card networks in case a breach were to occur, Cosens says.
"We wouldn't need to continue to invest as much in building 'higher walls' around our security measures," he adds.
Cosens estimates that the supermarket chain may cut its costs associated with PCI data-security standards compliance "by 70% to 75%," once it completes its installation of the WorldPay's encryption service within all of its outlets.
