High-profile data theft incidences have prompted payments processors and merchants to embark on a quest for enhanced security. Charles Davis speaks to Hypercom about its strategy to meet this demand by introducing solutions it has successfully deployed in Asia to other major markets worldwide.
Responding to the card industry’s need to fight fraud, Hypercom is bringing its Asia-Pacific-based EFTSec Server payment data encryption technology to North America, Latin America and Europe.
The US payments technology developer has also teamed with Voltage Security to deliver cryptographic technology, and is forming a global data protection business unit to address customer-specific security threats with five key approaches to data security.
Hypercom vice-president for global quality and security TK Cheung told EPI the move is a signal to the payments industry that Hypercom alone can provide security in every retail payments setting, from the high-end department store to ‘mom-and-pop’ local shops.
Cheung also serves as vice-chairman and chief technical officer of the Secure POS Vendor Alliance.
“One solution does not fit all when it comes to payment card data protection, Cheung said.
“The payment industry is highly complex and requires a range of solutions which can protect its various elements. To that end, we are making available the smartest array of security approaches providing choices for businesses of all types to fortify their defences and protect cardholder data against current and future threats.”
The addition of Voltage’s end-to-end encryption to EFTSec, and Hypercom’s HyperSafe suite of security products, allows the company to tailor security solutions, Cheung said, adding that growing complexity of terminal fraud require a multi-faceted approach.
Striking a balance
The deal with Voltage enables Hypercom to implement cryptographic technology that delivers an array of end-to-end encryption across its product line, with a particular focus on management of card data at rest. That said, portions of the data must be available for legitimate business purposes. Voltage’s technology provides businesses with strong protection without compromising flexibility or requiring major changes to existing business processes. The key benefit for banks, processors and large retailers is that it provides the technology to protect cardholder data throughout the enterprise.
The moves reflect Hypercom’s belief that end-to-end payment data protection must encompass protecting data throughout its lifecycle, which means not only encrypting it when in transit but also when at rest in a merchant or payment-processing environment. Hypercom also believes the scope of payment data protection includes use of strong security technology on the terminal side of the business as well, including the loading and storage of debit keys residing on those devices.
“Retailers have to work with terminal vendors to develop a holistic security plan, all the way down to the physical security of the terminal manufacturer,” he said.
“It is no longer nearly enough to merely ensure the transaction is secure, because recent data breaches have shown that is not nearly enough.”
Line encryption encrypts cardholder data during transaction processing, starting at the payment terminal and ending at a trusted point where the data is decrypted. That trusted point can be within a large merchant or payment service provider environment, Cheung said.
Hypercom was the first electronic payment solutions provider to initiate card data encryption with its EFTSec technology introduced in 2006. Developed to combat attacks then prevalent in several Asian countries, EFTSec is now the de facto industry standard for payment terminal-initiated link encryption in Asia. EFTSec is already in use by seven major banks with combined assets of more than $178 billion, and licensed to and implemented by several major terminal manufacturers, Cheung said.
Unlike recently introduced competing solutions that require customers to purchase custom equipment or utilise third-party decryption services, EFTSec leverages existing network infrastructure.
Protecting the operational procedures and maintenance of payment terminals is just as important as protecting cardholder data, Cheung said. Hypercom’s HyperSafe suite of security products defends terminals from rogue applications and malware, protects the terminal management system from communicating with fraudulent terminals and provides the industry’s only remote key management system.
The key benefits for banks, processors and large retailers are that it protects investment in the POS estate, reduces the potential for fraudulent use of terminals and ensures secure transport of cryptographic keys.
Segmenting a merchant’s POS system data from payment data is one method of reducing the scope of payment card industry PCI DSS compliance for merchants. Virtual terminals are web-based secure platforms that easily integrate payment processing and business critical processes with client-side applications and devices.
Another key piece of the security puzzle is card authentication. In addition to complete enterprise-wide end-to-end payment data protection, Hypercom supports strengthening of card authentication as an important tool to prevent card skimming.
“It is all part of the holistic approach that the industry has to take,” Cheung said. “Hypercom supports a number of technologies that, if broadly adopted, would significantly reduce fraud through card skimming.”
These technologies include contact and contactless chip cards, and magnetic stripe image authentication, a dynamic digital authentication solution that detects counterfeit magnetic stripe credit, debit, gift and ATM cards. Whenever a card is used at a payment terminal, magnetic stripe security imaging authenticates the card’s legitimacy in real time by matching each magnetic stripe’s unique ‘noise fingerprint’ against the ‘fingerprint’ originally obtained from the legitimate card.
“Lots of high-profile attacks have focused attention on end-to-end encryption, and it was prevalent outside the US long before it became a high-profile issue in the US,” Cheung said.
“So we began working with the world’s largest institutions on a variety of issues, from skimming and line-tapping to online fraud. It is up to us as vendors to address this now, in a systematic way.”