The expanding array of services offering merchants advanced encryption of sensitive payment card data is causing competition to heat up among purveyors already jockeying for dominance by touting each product’s specific advantages.
Such major processors as Heartland Payment Systems Inc., First Data Corp., and WorldPay U.S. Inc. are well along in rolling out versions of their advanced payment-encryption technology, primarily to small and midsize merchants. Fifth Third Processing Solutions LLC, Chase Paymentech and others are poised to do so in the next several months.
More providers likely will join what observers say will be a major movement within the next couple of years among merchants to adopt advanced data-encryption services to protect against breaches and potentially reduce their costs associated with Payment Card Industry data- and application-security compliance.
Processors so far have led the sales push, mostly marketing advanced data-encryption products as add-on services to smaller merchants. But ISOs are on the verge of getting into the act on a broad scale, primarily reselling the services directly to merchants, various service providers say.
Promoting advanced data-encryption services could open fresh business opportunities for ISOs, observers say. However, the services may be more complex and potentially require more agent education on the new technology and more time to complete the sales process. The revenue potential for ISOs of selling advanced data-encryption services also is not yet clear, as prices and packages of products are not yet widely available.
“The groundwork of building the foundation and technology of point-to-point encryption technology has mostly been done, and within the next few months we will see it begin to take off in a major way as the business case for adding data encryption builds,” Drew Soinski, vice president of payments at Voltage Security Inc., whose SecureData encryption service forms the backbone of several new services. Voltage says it has partnerships with Heartland, Fifth Third, U.S. Bancorp’s Elavon Inc. and Merchant Link LLC, among others.
VeriFone Systems Inc. provides security technology that WorldPay and other processors are using. VeriFone in October announced a partnership with RSA to market a point-to-point advanced data-encryption service called VeriShield Total Protect.
Terminal Replacement
WorldPay also is getting brisk interest in its advanced data-encryption service that uses VeriFone’s VeriShield as its core security technology, says Ian Drysdale, WorldPay senior vice president, product and business development. The firm is targeting merchants of all sizes, both through its direct sales force of 300 and the dozens of ISOs that resell its products. WorldPay’s advanced data-encryption service is available using a variety of VeriFone’s payment terminals.
The pain for merchants of replacing payment terminals varies. In some cases, merchants are ripe for a terminal upgrade, but in other cases they balk at shelling out funds on costly new terminals to gain security, Drysdale says.
“A key advantage we offer is the fact that a merchant can choose from a variety of types of VeriFone terminals, so they are not tied to a specific piece of hardware,” he says.
Terminal-replacement costs are not a deal-breaker for many merchants weighing their options, Heartland’s Elefant contends. “New devices designed for fully secure advanced data-encryption services are not prohibitively expensive, especially when compared with the hundreds of thousands of dollars in costs merchants might rack up in a data breach,” he adds.
Heartland’s E3 terminal price starts at $85, Elefant says. The advanced data-encryption service cost varies, based on the size and scope of the merchant.
Merchants must also weigh the upfront costs of replacing terminals against the potential long-term cost savings from data-breach liabilities and from reducing the costs and scope of future PCI data-security compliance efforts, Voltage Security’s Soinski says.
Merchant data-security audits that technology-auditing firm Coalfire Systems Inc. has conducted for Voltage show that merchants whose advanced data-encryption technology incorporates its technology have reduced the overall cost of PCI data-security compliance efforts buy as much as 79%, Soinski notes.
The cost savings such POS hardware security modules provide merchants can be significant because they eliminate the need for merchants to verify their virus scanning, intrusion detection, firewalls, network management and card protection, he says.
A Lack Of Standards
Besides cutting the general costs of PCI data-security standards compliance, adding advanced data-encryption services can eliminate “at least $15,000 to $25,000 alone to hire an auditor” to certify payment software under the PCI payment application data-security standard, Heartland’s Elefant says.
The payment application data security standard typically applies to vendors of payment- software applications, such as those a merchant incorporates into its systems for handling customer refunds.
A nagging concern for some merchants considering adopting advanced data-encryption services is the lack of consistent standards, which “makes interoperability and implementations difficult, as well as potentially ending up with (outcomes) that may not include (the latest) standards,” Thales’ Diaz says.
Elefant contends the current lack of solid standards will not pose problems for merchants that already have adopted advanced data encryption.
“There is a common misperception that standards are the same as interoperability, and that is not the case,” he says. “The standards are evolving as we go along, and we are very active in discussions with the bodies putting them together. So far, the standards proposed would embrace what we are doing with E3 what rivals (such as VeriFone) are doing with their services.”
Look for an expanded version of this article in the March issue of ISO&Agent magazine arriving shortly.
