High-profile data theft incidences have prompted
payments processors and merchants to embark on a quest for enhanced
security. Charles Davis
speaks to Hypercom about its strategy to meet this demand by
introducing solutions it has successfully deployed in Asia to other
major markets worldwide.
Responding to the card industry’s
need to fight fraud, Hypercom is bringing its Asia-Pacific-based
EFTSec Server payment data encryption technology to North America,
Latin America and Europe.
The US payments technology developer has also
teamed with Voltage Security to deliver cryptographic technology,
and is forming a global data protection business unit to address
customer-specific security threats with five key approaches to data
security.
Hypercom vice-president for global quality and
security TK Cheung told EPI the move is a signal to the payments
industry that Hypercom alone can provide security in every retail
payments setting, from the high-end department store to
‘mom-and-pop’ local shops.
Cheung also serves as vice-chairman and chief
technical officer of the Secure POS Vendor Alliance.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalData“One solution does not fit all when it comes
to payment card data protection, Cheung said.
“The payment industry is highly complex and
requires a range of solutions which can protect its various
elements. To that end, we are making available the smartest array
of security approaches providing choices for businesses of all
types to fortify their defences and protect cardholder data against
current and future threats.”
The addition of Voltage’s end-to-end
encryption to EFTSec, and Hypercom’s HyperSafe suite of security
products, allows the company to tailor security solutions, Cheung
said, adding that growing complexity of terminal fraud require a
multi-faceted approach.
Striking a balance
The deal with Voltage enables
Hypercom to implement cryptographic technology that delivers an
array of end-to-end encryption across its product line, with a
particular focus on management of card data at rest. That said,
portions of the data must be available for legitimate business
purposes. Voltage’s technology provides businesses with strong
protection without compromising flexibility or requiring major
changes to existing business processes. The key benefit for banks,
processors and large retailers is that it provides the technology
to protect cardholder data throughout the enterprise.
The moves reflect Hypercom’s belief that
end-to-end payment data protection must encompass protecting data
throughout its lifecycle, which means not only encrypting it when
in transit but also when at rest in a merchant or
payment-processing environment. Hypercom also believes the scope of
payment data protection includes use of strong security technology
on the terminal side of the business as well, including the loading
and storage of debit keys residing on those devices.
“Retailers have to work with terminal vendors
to develop a holistic security plan, all the way down to the
physical security of the terminal manufacturer,” he said.
“It is no longer nearly enough to merely
ensure the transaction is secure, because recent data breaches have
shown that is not nearly enough.”
Line encryption encrypts cardholder data
during transaction processing, starting at the payment terminal and
ending at a trusted point where the data is decrypted. That trusted
point can be within a large merchant or payment service provider
environment, Cheung said.
Asian origin
Hypercom was the first electronic
payment solutions provider to initiate card data encryption with
its EFTSec technology introduced in 2006. Developed to combat
attacks then prevalent in several Asian countries, EFTSec is now
the de facto industry standard for payment terminal-initiated link
encryption in Asia. EFTSec is already in use by seven major banks
with combined assets of more than $178 billion, and licensed to and
implemented by several major terminal manufacturers, Cheung
said.
Unlike recently introduced competing solutions
that require customers to purchase custom equipment or utilise
third-party decryption services, EFTSec leverages existing network
infrastructure.
Protecting the operational procedures and
maintenance of payment terminals is just as important as protecting
cardholder data, Cheung said. Hypercom’s HyperSafe suite of
security products defends terminals from rogue applications and
malware, protects the terminal management system from communicating
with fraudulent terminals and provides the industry’s only remote
key management system.
The key benefits for banks, processors and
large retailers are that it protects investment in the POS estate,
reduces the potential for fraudulent use of terminals and ensures
secure transport of cryptographic keys.
Segmenting a merchant’s POS system data from
payment data is one method of reducing the scope of payment card
industry PCI DSS compliance for merchants. Virtual terminals are
web-based secure platforms that easily integrate payment processing
and business critical processes with client-side applications and
devices.
Another key piece of the security puzzle is
card authentication. In addition to complete enterprise-wide
end-to-end payment data protection, Hypercom supports strengthening
of card authentication as an important tool to prevent card
skimming.
“It is all part of the holistic approach that
the industry has to take,” Cheung said. “Hypercom supports a number
of technologies that, if broadly adopted, would significantly
reduce fraud through card skimming.”
These technologies include contact and
contactless chip cards, and magnetic stripe image authentication, a
dynamic digital authentication solution that detects counterfeit
magnetic stripe credit, debit, gift and ATM cards. Whenever a card
is used at a payment terminal, magnetic stripe security imaging
authenticates the card’s legitimacy in real time by matching each
magnetic stripe’s unique ‘noise fingerprint’ against the
‘fingerprint’ originally obtained from the legitimate card.
“Lots of high-profile attacks have focused
attention on end-to-end encryption, and it was prevalent outside
the US long before it became a high-profile issue in the US,”
Cheung said.
“So we began working with the world’s largest
institutions on a variety of issues, from skimming and line-tapping
to online fraud. It is up to us as vendors to address this now, in
a systematic way.”