Digital Transactions Authoritative, insightful and timely information for payments professionals
VeriFone Holdings Inc., a major terminal manufacturer, is entering the burgeoning business of card-data security with a product it says will secure cardholder information from the instant the card is swiped. The product, VeriShield Protect, was announced on Wednesday and encrypts mag-stripe data and the personal account number for the card. The information remains encrypted until deciphered by either the merchant or its processor. The technology comes at a time when processors and payment-software vendors are introducing products to meet an increasingly urgent need among merchants to shore up their defenses against data leaks. These efforts have gained urgency because of a series of high-profile computer intrusions sustained at major chains, including most recently Hannaford Bros. Co. (Digital Transactions News, March 17), where hackers gained access to account numbers for an estimated 4.2 million cards. Vendors also hope merchants will adopt the technology as part of their due diligence in complying with the Payment Card Industry data-security standard (PCI), an industry standard aimed at keeping card data out of the hands of fraudsters. VeriShield Protect represents one of the first entries in the encryption market from a hardware vendor with a substantial installed base of point-of-sale terminals. “We were content saying we'll sell payment terminals,” says Jeff Wakefield, vice president of marketing for integrated systems at Santa Clara, Calif.-based VeriFone. “But we have actively embraced security. We kept coming around to this problem [of data security].” Two merchants have ordered the product so far, one of which VeriFone expects to announce on Thursday, Wakefield says. Another 20 or so are in various stages of discussions with VeriFone, which is also talking to processors, he adds. With VeriShield Protect, VeriFone says credit and debit card transaction data are encrypted at the moment the customer or clerk runs the card through the terminal. This could be a key feature given that information known so far about the Hannaford breach indicates it occurred while data were in transit during authorization. “The sooner you can capture [the data], the better off you are in terms of protecting it,” says data-security expert Michael Dahn, chief technology officer at The Aegenis Group, Park City, Utah, who does not endorse this or any other particular security product. Encrypted data are deciphered by a so-called appliance that can reside at either a merchant data center or at a location maintained by the merchant's acquirer. They are then sent on to the issuer for authorization. The appliance also monitors transactions in real time. Wakefield points out that the product also re-sets card expiration dates to a future time to thwart any intruder who might manage to intercept the information. These dates can be useful to data thieves since they are often required for online transactions. The new system works on two VeriFone product lines, the MX800 Series and the Vx Solutions line. Merchants that have already installed these devices can upgrade to VeriShield Protect by having the terminal's security module updated and the VeriShield keys loaded into the device. The product encrypts data using a standard called H-TDES, for Hidden-Triple Data Encryption Standard, created by Semtek Innovative Solutions Corp., a San Diego-based security-technology company. VeriFone is an investor in Semtek and Douglas G. Bergeron, VeriFone's chairman and chief executive, sits on its board. Semtek, which also provides the decryption appliance, can also run the appliance on the merchant's behalf in a hosted service. If merchants decide to locate the appliance at their own location or use Semtek, they must modify their transaction-routing routines so payment data goes to the appliance, Wakefield says. One problem VeriShield Protect will not address is how to keep intruders out in the first place. “How did the attackers get it?” asks Dahn. “Retailers have to look at a more holistic view. This is not one solution for everything, though it definitely addresses one kind of attack.” Wakefield will not discuss fees in detail, but says merchants will pay a “nominal” terminal-application fee as well as key-injection fees. More substantially, the appliance carries an ongoing license and support fee that depends on the volume of transactions processed, though it is not set as a per-transaction fee.
