Big Merchants Push RBS WorldPay into End-to-End Encryption

The end-to-end encryption train picked up steam on Tuesday when big merchant acquirer RBS WorldPay Inc. said it would use point-of-sale terminal developer VeriFone Holdings Inc.'s VeriShield Protect technology. The announcement is significant because RBS WorldPay is the first acquirer to publicly disclose it is using the system VeriFone unveiled in the spring. Further, RBS WorldPay's strategy contrasts sharply with the in-house encryption approach taken by rival acquirer Heartland Payment Systems Inc. Ian Drysdale, senior vice president of market development at Atlanta-based RBS WorldPay, tells Digital Transactions News that the processor was getting “tremendous demand” from Level 1 and Level 2 merchants?the largest and second-largest merchant groups by transaction volume in payment card industry lingo?for enhanced data security. Grocery stores, which generate a sizable share of RBS WorldPay's volume, are especially interested, he says. “They want a way to dramatically reduce the scope of PCI compliance,” he says, referring to the Payment Card Industry data-security standard, the major card networks' common set of security rules. Pending PCI-related deadlines in 2010 and beyond also are driving much of the demand, according to Drysdale. They include requirements for gas stations and convenience stores to upgrade PIN-entry devices to so-called Triple DES, for Data Encryption Standard, from older single DES technology, and MasterCard Inc.'s tougher PCI inspection requirements for Level 2 merchants. End-to-end encryption refers to any of the various technical methods under which data are encrypted as soon as the card is swiped at the point of sale and not decrypted until they are in a secure processor's, merchant's, or vendor's data center. Current processing procedures leave data exposed for a very short time, making it vulnerable to hackers during the transaction process. In addition, older, non-PCI-compliant POS systems frequently store exposed card data. One thing RBS WorldPay and Heartland have in common is that hackers have infiltrated their processing systems. The resulting data breaches gave both acquirers public-relations black eyes and led to their temporary removal from Visa Inc.'s list of PCI-compliant processors. They've both been reinstated. Heartland's response was to charge headlong into end-to-end data encryption with a proprietary system now under development (Digital Transactions News, Aug. 4). Asked if the breach RBS WorldPay disclosed on Dec.23 led the company to embrace end-to-end data encryption, Drysdale says, “It did not. We were working with VeriFone well before [it happened].” A big reason RBS WorldPay is going with VeriShield Protect is because many merchants in its portfolio use VeriFone multilane POS systems and won't have to replace their hardware to use the security service. “They [VeriFone] have some unique benefits,” Drysdale says. “They're in a lot of grocery and retail outlets. For our business this makes a lot of sense.” Drysdale says RBS WorldPay looked at encryption systems from other major terminal makers and technology companies. “We certainly talked to all of the vendors in the marketplace,” he says. “This one allowed us to get to market quickly.” But he adds that, “I think over time we're going to be open to a range of solutions.” VeriShield Protect eliminates usable cardholder data from the merchant's POS applications, networks, and servers, and preserves existing card-track data formats so it works transparently with retailers' existing payment systems, according to an RBS WorldPay release. Data initially will be decrypted at merchant host locations or VeriFone's decryption center, but Drysdale expects decryption operations will move to RBS WorldPay in a year to 18 months. The technology works on two VeriFone product lines, the MX800 Series and the Vx Solutions line (Digital Transactions News, April 9, 2008). The product encrypts data using a system created by Semtek Innovative Solutions Corp., a San Diego-based security-technology company. VeriFone is an investor in Semtek. RBS WorldPay is offering VeriShield Protect as an optional service at an undisclosed cost. “Relative to the cost of an incident, it's a low cost,” says Drysdale. Grocery stores and other multilane retailers will be RBS WorldPay's first target customers. A spokesperson for San Jose, Calif.-based VeriFone says by e-mail that “several hundred” merchant locations already are using VeriShield Protect, and in the past month they processed “several million encrypted transactions.” The spokesperson didn't disclose which merchants are using the system. He says initial users are large, multilane retailers and not to assume they are clients of RBS WorldPay. RBS WorldPay has 154,000 merchant locations that generated 1.73 billion purchase transactions last year, up 79% from 2007. Dollar volume of $71.6 billion was up 58%. The increases came through new a new national business unit, new independent sales organization relationships, and other organic growth, according to Drysdale.