2016 was a record year for data breaches, with 1,093 recorded by the Identity Theft Resource Center – an all-time high. As our Chief Commercial Officer, Guido Schulz, discussed in an article published by PaymentsSource yesterday, “The truth is, there were many more breaches in 2016 than in pre-EMV 2015.”
Many retailers and consumers alike assumed that once “chip cards” were implemented, breaches and fraud would be curbed. Neither has happened. And that is because, according to Ruston Miles, our Chief Innovation Officer, “EMV stole the show, but has nothing to do with protecting the card data as it moves through the payments system.”
Our flagship product, PCI-validated Point-to-Point Encryption (P2PE) encrypts payment data immediately upon swipe or dip in the physical payment terminal, whether the terminal is mobile or countertop, at a kiosk or in a call center. By encrypting this data at the point of sale (POS), retailers and enterprises can ensure that no clear-text card data resides in their POS system.
But that’s POS – what about Ecommerce, where consumers pay online for goods and services? U.S. retail Ecommerce sales have surged 16% year over year and estimates are that by 2020, worldwide Ecommerce sales will reach $4 trillion. The numbers are mind-boggling but point to the importance that online payments play – and the importance of securing this channel.
One of the side effects of EMV is the rise of card not present (CNP) fraud, since it is more difficult to “white label” credit and debit cards and use them at the POS. So hackers need another channel to use their stolen payment data, hence why they are flocking online. In November 2016, ACI Worldwide issued a report in which it found CNP fraud attempt rates are expected to increase 12% by volume. According to Research and Markets:
“Despite anticipating that fraudsters would transition to online attacks once counterfeit card fraud at the point of sale was reduced through the EMV chip, U.S. payment card networks and issuers, payment providers, merchants and cardholders are now asking, What can we do about the increase in CNP fraud?,” Research and Markets wrote. “In response, an industry of technology developers providing solutions to combat CNP fraud has emerged to give online merchants the means to strike back.”
Like all things security-related, protecting credit card data entails more than just protecting the obvious entry points. It includes anticipating threats from every possible angle, figuring out every place that a thief might get in and plugging those holes – including the online channel.
Security Solutions for Ecommerce
So how do you secure Ecommerce payments and what kind of benefit can you expect from implementing new technologies? Today we spotlight several security mechanisms that we provide to protect payment data online, including the newest addition to our Security Solutions Suite, the Payment iFrame.
Payment iFrame
Available on our PayConex Platform, the Payment iFrame enables merchants to embed an iFrame in their checkout page that encrypts user entered payment data and returns the encrypted data in an “eToken” format. The eToken can use the iFrame for processing payments through Bluefin’s API.
Merchants that implement the iFrame benefit from reduced PCI scope because the capture of sensitive credit and debit card data has been outsourced to Bluefin. We control the capture of the data, send it to our server for encryption and release an encrypted token (eToken) to the merchant which they can use with Bluefin’s API for further payment processing (SALE, AUTH, STORE). With our solution the merchant never handles card data directly; instead they deal with eTokens and a number of JavaScript APIs.
When properly implemented, Bluefin’s iFrame and our Tokenization technology can take the Ecommerce operations of a merchant from SAQ D’s 326 security questions down to SAQ A’s 14 questions.
Hosted Payment Page
A hosted payment page is an extension of PayConex that allows customers to enter in their own payment information online on a page hosted and protected by Bluefin. Some merchants link the hosted payment page to their website, others send the link to their customers via email. The major benefit of setting up a hosted payment page, as opposed to other online payment options, is that Bluefin offers an easy setup wizard for payment pages through PayConex, with no web development experience required.
Tokenization
Tokenization replaces credit, debit and ACH information in a transaction with a random character string or “token” acting as a surrogate for the credit card data. Payment tokenization differs from encryption. In encryption, when a payment application or a database needs to store credit card data, the card values are encrypted and cipher text is then saved in the original location. With tokenization, a token – or surrogate value – is stored in place of the original data.
PayConex provides a common tokenization vault unifying all of our payment products, including our PCI-validated P2PE solutions; Ecommerce, retail, MOTO, and mobile channels; turnkey mobile app, Salesforce app, and virtual terminal web interface; as well as integrated support to our APIs, SDKs, payment pages, and standalone terminals.
Additionally, Bluefin also offers Store & Convert, which is a custom conversion process that tokenizes large volumes of existing card numbers on a system in one step. This is an ideal solution for any company looking to implement a tokenization solution with legacy card numbers that are in the clear.
Transparent Redirect
Transparent Redirect is an elegant token-based method to securely and transparently collect card data directly from the cardholder online while allowing the merchant to still manage the authorization process. Our clients can process credit/debit card and ACH transactions on their website without ever having cardholder data traverse through their systems.
While the checkout page is designed and hosted by the merchant, our solution posts payment details directly to PayConex over our secure network. Utilizing direct-post payment processing ensures credit card information never enters the merchant’s system, even though the merchant maintains control of the look and feel of the page.
Outsource Payment Security to Bluefin
A common theme between all of these security solutions is that they prevent sensitive data from being in your network and remove your environment from PCI scope. As data breaches are becoming more common and are affecting merchants of all sizes, why worry about it happening to you? Outsource the protection of your customers’ payment data to Bluefin. Contact us to learn more.