First Data Corp. hopes to raise the stakes among payment-terminal makers and processors vying to encrypt cardholder data with a new product it contends goes further than other market offerings.
The Atlanta-based processor today announced a pilot of its TransArmor data-security service, which encrypts payment data at the point of sale through processing, eliminating the need for merchants to store cardholder data on site, thus reducing fraud exposure. TransArmor, an earlier version of which was called First Data Secure Transaction Management, also will reduce the scope of Payment Council Industry compliance efforts significantly, First Data says.
The TransArmor test, which will continue for four months, involves 400 merchants of varying sizes, including those supporting card-not-present transactions, First Data says.
The processor made the announcement at the RSA Conference 2010 information-security gathering, which kicks off today in San Francisco.
Unlike competitors’ offerings, TransArmor works with all types of payment terminals, and the encryption process occurs entirely “behind First Data’s firewalls,” Bruce Dragt, First Data division manager of merchant product and development, tells PaymentsSource.
“(Data-encryption) offerings vary by provider, and while some provide one part of the encryption process that stays behind the merchant wall, ours begins at the merchant level and continues all the way through processing. We have packaged it together so merchants get the whole piece as one complete offering,” Dragt says.
Merchants must pay an additional service fee for the service, which is sold through third-party acquirer channels. First Data envisions the cost will be “an incremental additional fee” for merchants, Dragt says.
Data-encryption recently has become a new marketing tool for payment-terminal manufacturers and processors. VeriFone Holdings Inc. in 2008 introduced the first widely marketed encryption product, expanding it last year across all point-of-sale lines (
One payment-security expert says encryption is “a good step” toward protecting cardholder data, but it does not solve all of merchants’ potential card-fraud problems.
“Everybody is looking for the magic bullet, and while data encryption helps reduce a lot of the responsibility for fraud from merchants, no one has fully tested or proven its ability to protect against all fraudsters,” Rocco Grillo, a managing director in the information-security data-privacy practice at Protiviti Inc., tells PaymentsSource.
While many of the new data-encryption services remove live cardholder data from merchants’ bases, merchants still must go through PCI security compliance, Grillo adds.
And encryption does not protect against fraud at all levels. “Encrypting data once the transaction is in progress is an improvement, but the need for physical security around the terminal itself remains, along with exposure to any other machines contacting the transaction data and who has access to it,” Grillo says.
