Page 30 - GS180301
P. 30
CoverStory
Hardware and services areas outside of its direct control. Atlanta-based Bluefin
was the first provider to offer Payment Card Industry
"Broadband and wireless communications are replacing (PCI) Data Security Standard (DSS)-validated, point-
dial modems," stated Ben Wagner, Director of Product, to-point encryption (P2PE) as a standalone service and
Solutions at Ingenico Group, a global technology company not embedded in payment processing, Miles noted. The
with U.S. headquarters in Atlanta. "U.S. EMV (Europay, company's patented, processor-agnostic platform helps
Mastercard and Visa) adoption has accelerated this trend, OEMs, processors, payment gateways and major retailers
because EMV transactions take longer on dial." optimize workflows across large roll outs and device
populations.
Wagner said Ingenico's subscription offerings include
app marketplaces, repair and warranty services, and Attaining PCI validation in North America "can be a
estate management systems. Estate management software rigorous process involving device requirements, asset
initially required on-site installation; most acquirers now tracking and chain of custody management," Miles said.
use subscription models to manage their device fleets, "Fulfillment and logistics are complicated when you're
he noted. "This industry was built on recurring revenue, rolling out thousands of devices; some merchants choose
which is easier to get if you're a service business, but harder not to do it." He noted that Bluefin built a system to help
if you're in the business of shipping boxes," he stated. merchants manage complexity and obtain P2PE through
existing software providers.
As the industry becomes more service-oriented, Wagner
sees a need to educate agents to be consultative and Miles sees growing demand for P2PE in the post-EMV
understand merchants' distinct businesses and industries environment, as merchants recognize the value of end-
to help them solve pain points. "Complex software bundles to-end encryption. "In Europe, Visa requires P2PE on
provide value and customer longevity," he said. "Investing all mPOS," he said. "Online, your credit card data is
$100 in a software system is fundamentally different than encrypted on any browser; why not require it on credit
spending $500 on a terminal that sits on a counter for five card machines?"
years. Flexible, pay-as-you-go options are less scary than
massive upfront investments." Data can be difficult to encrypt or protect when you don't
know where it is, noted Kailan Whitaker, Product Manager
As he reflected on POS terminal evolution, Jeff Wakefield, at Orem, Utah-based SecurityMetrics, a data security and
Vice President, Americas, Sales Enablement at Verifone, compliance provider. "With so many connected devices on
said early devices with proprietary operating systems a network, it's difficult to search every nook and cranny
were priced to sell and expensive to update. Over time, where sensitive data is stored," he said. "Companies
reductions in computing costs enabled Verifone to create use our PANscan and PIIscan licensed solutions to find
a secure, open system and rich development environment, unencrypted PANs [personal account numbers] and PII
while also maintaining reasonable price points. "For a [personally identifiable information] and patch holes in
manufacturer, building an individual solution for each their networks."
acquirer means doing EMV 15 times," he said. "Building
a common commerce solution means doing it once, Studies show PANscan has located more than 1.5 billion
reducing costs and improving capabilities, functionality unprotected, unencrypted personal account numbers since
and security." it launched in 2010, Whitaker stated, noting that PANscan
and PIIscan scan approximately one to three gigabytes per
Wakefield commended MLSs for their role in making minute. "Business owners can click 'Scan Now,' and view
credit card processing ubiquitous. He summarized their results at the end of a workday," he said. "They invariably
original value proposition to merchants as "increase sales find data they didn't know was there."
by accepting credit and debit," which then evolved into
statement analysis. "Then Square came out with bundled Landline and mobile security
pricing and set a new ceiling, and the game changed to,
'Let us help you become more secure,'" he recalled. "With The PCI Security Standards Council stipulates merchants
today's tablet-based POS systems, costs are under control, must protect cardholder data, whether it is printed,
and old approaches don't work. MLSs need to move up processed, transmitted or stored. Emerging technology
and show merchants how to compete with chains." companies are providing innovative approaches to
protecting payment card data transmitted over landlines
P2PE and scans and mobile phones.
Ruston Miles, co-founder and Chief Strategy Officer Semafone Inc., a global security company with U.S.
at Bluefin Payment Systems LLC, a payment security headquarters in Boston, created a solution to remove
company, said moving into the cloud can impact an payment card data from scope at call centers. Cardprotect
organization's security posture and ability to protect shields payment card data in card-not-present (CNP)
30
