2017 will go down as a record-breaking year for data breaches. The Identity Theft Resource Center (ITRC) recorded 1,579 breaches that compromised over 178 million consumer records – a drastic increase of 44.7% over the record high figures reported for 2016. Malware was a leading attack vector in the 2017 data breaches, designed to infiltrate point of sale (POS) systems and steal clear-text personal and credit card data.

The foodservice and hospitality industries have been hit particularly hard by data breaches, with hotel brands, restaurants and establishments targeted by hackers in 2017 – including a major micro market malware breach that exposed thousands of customer credit card numbers. While the average cost of a data breach in 2017 was $4 million, for larger companies and chains, those costs can skyrocket to over $50 million – not to mention the irreparable damage to the brand.

That’s why more and more companies in foodservice and hospitality are adopting payment security technologies like PCI-validated Point-to-Point Encryption (P2PE) – including industry leader AVI Foodsystems, America’s largest, family-owned and operated food and hospitality provider. In 2017, Bluefin, Nodus Technologies, and AVI partnered to provide Bluefin’s PCI-validated P2PE solution for AVI’s back-office payment processing. PCIvalidated P2PE is designed to secure credit card data through encryption in a PCI-approved P2PE payment terminal. Encrypting data within the device prevents clear-text cardholder data from reaching the POS system where it could be exposed in the event of a data breach.

The P2PE Solution for AVI Foodsystems: Bluefin and Nodus Technologies

In 2017, Nodus Technologies reached out to Bluefin about their Decryptx® PCI-validated P2PE Solution. Nodus had been serving as AVI’s payment processor for several years and AVI had approached Nodus about their desire to adopt a PCI-validated P2PE solution to secure their customers’ credit card payments. Decryptx, Bluefin’s Decryption as a Service (DaaS) P2PE offering, enables payment gateways, processors and software companies to provide Bluefin’s P2PE technology directly to their clients – with no change to the payment processing relationship.

“AVI wanted a P2PE partner that was flexible enough to integrate with the Nodus middleware that they use with their financial system,” said Chester Ritchie, President of Nodus. “So we worked directly with Bluefin to integrate P2PE through Decryptx and provide it via our integrated payment processing platform. It’s an excellent payment security technology because it’s seamless to our customers, and it greatly decrease their PCI scope.”

Why PCI-validated P2PE for AVI?

“While re-certifying the solution through a QSA is an option many companies choose, this option ties the solution to a significant risk each year that the solution will no longer provide network scope reduction. Validated P2PE solutions are multiyear certifications for which the vendor owns responsibility and has the vested interest (of their entire business model) in maintaining. Validated P2PE solutions are the most sure footed approach for those companies that require (or desire) PCI network scope reduction.”
Ron Kerensky
Chief Information Officer
AVI Foodsystems

AVI needed a PCI-validated P2PE solution for their client locations across the U.S. that provided the highest level of payment encryption but they also wanted to attain PCI network scope reduction without the need for AVI to re-certify the solution each year.

“First, the scope reduction would remove our client’s data networks from the PCI audit process, avoiding the unmanageable costs and unreasonable levels of risk for our clients to be involved in AVI’s annual PCI audit,” said Ron Kerensky, Chief Information Officer for AVI. “Second, P2PE solutions also significantly reduce the risk of a breach involving our customer’s credit card data by eliminating the storage and transfer of decipherable card holder data. Extending P2PE into our card not present environment presented a very clear cost, time and risk savings opportunity for us.”

The company’s business model requires AVI to operate on client networks; thus, P2PE was a natural choice because it provides AVI clients the peace of mind that all of their PCI concerns are addressed without needing to involve them in the cost or risk, added Ron.

AVI also adopted P2PE in their card not present payment environment for similar reasons. By adding P2PE, AVI was able eliminate their entire network from scope, said Ron, mitigating the risk of a hacker-initiated breach on credit card data. Removing the AVI network from PCI scope also reduced the cost of the PCI audit process by an estimated 35% and the complexity/risk of issues identified in the PCI audit by 75%.

Implementation, Expected ROI and Cost Benefits

One of the reasons that AVI wanted Bluefin as their PCI-validated P2PE provider was the company’s reputation “for innovative solutions and the ability to integrate/partner well within the P2PE space,” said Ron. For the project to work, AVI needed a provider that had the expertise, experience and motivation to partner with AVI’s existing vendors to enable a complete PCI-validated P2PE solution. Additionally, the Bluefin brand in this space also made the conversations with AVI’s Qualified Security Assessor (QSA) team easier. “Our QSA was more anxious to see the integration in person than he was concerned about it meeting the P2PE standards!” said Ron.

The solution implementation was straight-forward. AVI chose the ID Tech SREDKey payment terminal for their back-office payments. The set-up process was as simple as deploying any standard credit card terminal, said Ron. While there was some education with users around process changes within the Nodus middleware applications, the Bluefin part of the equation, said Ron, was extremely simple and literally a one-line training message: “You will only be able to enter credit card data on the Bluefin device going forward.”

With the network scope reduction that the Bluefin integration provided, AVI expects to reduce their cost for their annual PCI audit by 35%, which translates into significant savings. Just as important, AVI has historically spent over 1,000 hours per year of senior IT personnel preparing for and engaging with QSA resources for the PCI audit. With the scope reduction, AVI expects that this time will be reduced by roughly 700 hours per year. The opportunity value of 700 hours of senior IT time translates to an estimated two additional IT projects per year that can be focused on increasing revenue or reducing costs to our business, said Ron.

“Any industry – including the food management industry – that requires PCI network scope reduction should consider a solution like this,” said Ron Kerensky, Chief Information Officer for AVI. “In fact, for any industries where the data network landscape is complex and/or challenging to manage – even when network scope reduction is not required – a P2PE solution can help to significantly reduce cardholder data risk and the often times constraining and time-consuming task of meeting all of the PCI requirements for network security.”

AVI

Founded in 1960, AVI Foodsystems has evolved into one of the most respected and trusted food service companies in the nation. AVI serves thousands of clients and millions of customers daily through the company’s contemporary cafés, state-of-the-art vending programs, innovative micro markets, premier catering services, superior concession venues and exclusive beverage and coffee systems.

Nodus Technologies

Nodus Technologies is a leading provider of electronic payment, eCommerce, and accounts receivable automation software for small and mid-size companies. Nodus leverages service oriented-architecture and web service technologies to provide cost effective solutions that decrease manual labor and reduce the scope of PCI compliance through secure cloudbased processing and storage.

Bluefin The Leader in Payment Security

Bluefin is the leader in payment security, specializing in PCI-validated P2PE integrated and stand-alone solutions for retail, mobile, call center and kiosk/unattended environments, and secure Ecommerce technologies including transparent redirect, payment iFrame and tokenization. Bluefin is a Participating Organization (PO) of the PCI Security Standards Council (SSC).

Contact us to Learn More about Bluefin’s PCI P2PE Solution