Terminal Rivals Cooperate on Plan for Card Data Security

In an unprecedented effort to thwart data breaches, the three leading vendors of payment card terminals on Wednesday put aside their normally fierce rivalries to announce creation of a non-profit industry group to implement common security standards and improve knowledge about security issues. “The self interest aligns with the public interest,” VeriFone Holdings Inc. chief executive Douglas G. Bergeron told Digital Transactions News after a Las Vegas news conference announcing creation of the Secure POS Vendor Alliance. Also at the conference were top executives of VeriFone's two main competitors, Hypercom Corp. and Ingenico North America. The group, which is seeking a full-time manager, will be run by a five-member board, three from the founding companies and two elected by the broader membership. Executives said the group doesn't aim to bypass existing standards such as the Payment Card Industry data-security standard (PCI). But Bergeron noted that some companies certified as PCI-compliant still were breached. “The reality is we see PCI not being the answer,” he said. “It's a good step.” Bob Russo, general manager of the PCI Security Standards Council, which administers and updates the standards, attended the news conference but didn't make a statement. Afterward, he told Digital Transactions News that he supports what the terminal makers are doing. “Overall, I'm encouraged, otherwise I wouldn't have been at their thing,” he says. In addition to PCI and other industry standards that affect payment-processing hardware and software, the vendors sell their products in scores of countries and must configure them to meet standards set by many individual nations. The alliance will try to find the common threads in all those standards in hopes of increasing efficiency as well as overall security. “The number of security standards continues to increase,” said Philippe Tartavull, president and chief executive of Tempe, Ariz.-based Hypercom. Older POS terminals and the software applications that control them are notorious for storing sensitive cardholder information that hackers have stolen and used to make fraudulent cards. The card networks, which enforce PCI, are forcing the older equipment out, and the manufacturers themselves are touting the security of their newer products in marketing campaigns. The executives insisted their products will remain differentiated even as they seek a common floor for security. The SPVA's creation comes at a time of seemingly endless news about data breaches that a year or two ago mostly involved retailers but in recent months has spread to merchant acquirers such as Heartland Payment Systems Inc. and RBS WorldPay. The breaches have caught the attention of Congress. A House committee recently chastised payments-industry leaders for alleged lax security. Executives at the news conference, however, denied that the vendors created the SPVA to head off government regulation. “The honest answer, [no] it did not,” said Paul Rasori, senior vice president at VeriFone and the SPVA's secretary/treasurer, at the news conference. And TK Cheung, vice president of global quality and security at Hypercom, said, “This has been in discussion for quite a while. It wasn't driven by one single event.” The SPVA will create several so-called “technical working groups” that will begin meeting in May. Topics they'll address include trying to arrive at a common interpretation of existing security standards, developing life-cycle security practices for payment devices from manufacture through disposal, end-to-end encryption of data, and analysis of and intelligence about security threats. The alliance's Web site, www.spva.org, was scheduled to go live today. Christophe Dolique, executive vice president of global marketing and transaction services at France-based Ingenico, will serve as the group's chairman in its first year. Cheung is the SPVA's vice chairman and chief technology officer. Other payment-terminal companies may join the alliance as general members. Annual dues are $30,000. The entities that buy, distribute, or deal with them in some way, including merchant acquirers, independent sales organizations, and retailers, can join as associate members. In related news, VeriFone announced this week that it was expanding the encryption technology it offers in products for multi-lane retailers to other systems.