The Payment Card Industry Security Standards Council (PCI SSC) is expected to release guidance later this year on the use of tokens to replace credit card data, a move that could benefit some payment processors that sell technologies using encryption and tokenization to eliminate sensitive card information from merchant systems.
In a recent interview, Bob Russo, general manager of the PCI SSC, said he didn't expect any major changes to PCI DSS, which is undergoing a revision this year. But guidance documents are being developed to help merchants decide whether investing in encryption or PCI tokenization technologies is a wise move.
"We're creating a framework right now where we map these technologies out and lay them next to the standards, so if somebody is using one of these technologies, [the framework] will let them know if they would satisfy certain requirements," Russo said.
Some payment processors and encryption vendors have rallied around a mixture of encryption and tokenization software to protect card data when a card is swiped at a payment terminal. RSA, the security division of EMC Corp., is working with First Data to provide tokenization technology in the encryption services that First Data sells to merchants. Voltage Security Inc. sells an encryption combined with tokenization and is working closely with Heartland Payment Systems Inc. to provide encryption and tokenization services.
PCI tokenization, encryption:
At RSA Conference, experts dismiss end-to-end encryption claims: Payment industry "buzz" term isn't really reality, say some industry experts at RSA Conference 2010.
Ease credit card risks: POS encryption and data tokenization for PCI: Data tokenization and transaction encryption technologies for PCI DSS, though still mostly new and untested, are already
Depending on the industry, merchants have the ability to store the data either encrypted or replaced with a token on their own servers, or send the data to the payment processors systems, where it is stored for later use. One industry expert said the PCI guidance will make it clear that merchants could be PCI certified if they have no ability to access the sensitive data.
Heartland commercially launched its E3 system this month. Mark Bouchett, owner of Homeport, a home décor store in Burlington, Vt., has been beta testing one of Heartland's E3 system encrypted terminals. His store runs a single terminal. It is low-volume -- typically under 30,000 credit card transactions a year, but Bouchett said he sees the benefit of offering more protection to his customers.
"We're a family business, so I'm interested in getting my customers home without getting ripped off," Bouchett said.
Under Heartland's E3 system, the transaction is immediately encrypted at the terminal and transmitted to Heartland. Bouchett said. The previous Heartland phone-based system used by Bouchett required him to keep card data stored on his systems for 24 hours.
"If it doesn't hamper the process and eliminates the risk, it's going to be a good thing for everyone involved," he said.
Bouchett said the E3 terminal is fast despite fully encrypting the data at the swipe of the card, but it is missing a PIN pad and has a fairly outdated looking graphical interface. A Heartland spokesperson said the commercially available version contains the same encryption capabilities, but has more updated features.
Terence Spies, chief technology officer of Voltage, said the company differentiates itself by offering identity based encryption, a public key technique that enables Voltage to generate the public keys and then generate the matching private keys from the key server later. It gives the merchant the ability to encrypt the data at the point-of-sale without possessing the private keys and therefore having no access to the sensitive credit card data.
"It allows us to encrypt things in such a way that even if an attacker gets a hold of a point-of-sale and opens it up there's nothing stored in that point of sale data that is going to yield them any useful data," Spies said.
The identity-based encryption technology can enable merchants to continue to use parts of a credit card number in transactional systems that need it for fraud prevention and other processes, Spies said. Smaller businesses can decide to outsource to payment processors, but larger businesses that require the Permanent Account Number (PAN) data on their servers will likely want to have the key management function in-house, Spies said.
"It becomes more of a technical architecture decision rather than a decision of selecting one out-of-the-box technology," Spies said.
Chris Mark, a former QSA who now serves as executive vice president at ProPay Inc., a Lehi, Utah-based processor that specializes in card-not-present and ecommerce transactions, said he anticipates many merchants moving toward more outsourced payment services that offer the ability of the merchant to request the processor tap into data for charge backs, returns and other transaction issues.
"You really can't make a blanket statement about the entire industry because every merchant has processes that are unique to their market," Mark said. "The hotel industry is a good example where eliminating card data could be tricky because people constantly charge items or services during their stay."