The following is an abridged transcript of the podcast with Ruston Miles, Chief Security Officer of Bluefin, and Julie Bryant Fisher, Chief Experience Officer for the Technology Association of Georgia (TAG). The podcast covers topics such as:
- The Evolution of Data Breaches and Hacking Methods
- The Role of PCI in Payment Security
- The Importance of Devaluing Payment Data with P2PE and Tokenization
- The Growth in Payments Systems – and Why Growth Should Not Outpace Payment Security
- Security Regulation Differences Between the U.S. and Europe
- The Role of Atlanta in the Payments Ecosystem
Julie Bryant Fisher: We are so happy to have you join us today, Ruston. The FinTech space is a really exciting one right now for the technology industry in Atlanta. I’d love to hear you talk about what Bluefin does for your customers and for the industry.
Ruston Miles: Thank you so much for having me today, Julie. Bluefin is a payments security company headquartered in Atlanta, and we specialize in technologies like PCI certified point-to-point encryption, also called P2PE, and tokenization to do what we call “devalue the data.” A lot of security folks think of defensive depth as putting up firewalls and high walls to try and keep hackers from getting sensitive customer information, like payment card data. And what we’ve done is completely turn the whole security model on its head by offering technologies that devalue this data. We either encrypt payment card data by injecting millions of encryption keys into each and every credit card accepting device or machine, or we tokenize the data. So anytime the data is going through your networks, it’s encrypted in such a fashion that even if the hackers can get through and penetrate your protection and your defensive depth, what they get is useless to them. We help to remove the horrible effects of breaches, which is obviously a huge benefit, but we also reduce PCI compliance, which is a big thing for retailers, merchants and other enterprises. All merchants or any retailer who accepts or touches credit card data can have up to three hundred and thirty five security requirements to adhere to, and our P2PE solution can reduce that by up to 90%.
Julie Bryant Fisher: And that is a really big deal for so many companies right now. I want you to describe what your role is as Chief Strategy Officer and a little bit about how you got the company off the ground as the founder.
Ruston Miles: I started Bluefin in 2002 in Tulsa, Oklahoma, building a secure payment gateway for merchants. In 2012, we merged with Capital Payments, moved the headquarters to Atlanta, GA, and rebranded the merged entity to Bluefin Payment Systems and most recently, just Bluefin.
Since then, we’ve been focused on payment security, and my role is to make sure that we are responding and reacting to what’s happening right now, and also taking a look around the corner about what’s next in payments. So for example, when the breaches really started in 2013 with some of the big names, it highlighted the need for better payment security at the point of sale. We were the first company in North America to provide PCI-certified P2PE in March 2014, which really coincided with the beginning of a lot of these breaches that we heard about. I kind of look ahead into the crystal ball and strategize on how our company is going to pivot in order to react to those opportunities, and then turn around and provide products and services to solve payment security problems. As we’ve said, transaction security and data protection are just of enormous importance to customers right now. And Bluefin has really put itself out there as an expert in P2PE.
Julie Bryant Fisher: So give us an update on what your technology affords your customers. What does it help them do?
Ruston Miles: In 2006, Visa, MasterCard, American Express and Discover started a group called the Payment Card Industry Security Standards Council, or PCI for short. Instead of having six different security standards that everybody had to meet, they decided to come together and make one Council that could advise on and put out one set of security standards that companies accepting credit cards had to meet. In about 2011, they introduced what’s called the P2PE standard, which provides the highest level of card present payment encryption available, but also provides a solution for merchants and retailers that reduces their PCI scope. With P2PE, the card data is encrypted at one point – for example, the payment terminal – and then decrypted at the other point. Even though it may sound simple, how it’s done is through a very specific and very secure way.
Julie Bryant Fisher: And so let’s step back for a second and talk about how the problem started. I think you just said in 2013 that some of the biggest names experienced breaches. So what do the breach statistics look like these days? What’s the risk? How are the hackers getting into these systems and causing customers and companies an enormous amount of trouble?
Ruston Miles: You know, it’s a good time to be a hacker. Data breaches have gone up and to the right. And there are all sorts of breaches that happen with other kinds of data beside just payment data that might be conducted by state funded actors for different reasons – government breaches, healthcare breaches, etc. But from our perspective, we focus on those breaches that really expose credit card, debit card and payment related data.
And someone might look and say well, you know Ruston, you just said that the PCI data security standards have been around for almost a decade now. Shouldn’t things have gotten better? But what’s happened is that the hackers have really changed their whole attack vector. Prior to the establishment of the PCI standards, they would go in and hack millions of cards all at once and rip them out of some business’ data center. Now, because businesses are doing such a good job of keeping this information out of the databases in the back offices and the data centers, the hackers started to use malware, thinking hey, you’ve got 4000 locations of your sandwich shop and we’ll just go attack all those 4000 at the point of sale and put malware in there and just silently listen to the credit card data as it flows through your network. You’ll never know what happened and then they go sell it on the dark web, and that’s the real threat. Finding out after the fact, only when those cards go on sale. And that’s why the technology that we provide is so popular because that data needs to be encrypted right at the point of swipe, type or dip. However it’s being entered in the device, it needs to be encrypted right inside of that device before it gets on your network. Otherwise, the data is exposed.
Julie Bryant Fisher: It’s crazy how as a customer I’m so excited about new payment technologies, and all the different ways that I can give you my money without having to do a whole lot. So what are the best things you’re seeing companies do other than obviously adopting your technology?
Ruston Miles: You hit the nail on the head there. You know, there’s a payments revolution. And that’s been going on for quite some time now. All these payment innovations are coming out, making it easier for folks to interact with retailers and merchants. As I like to say, changing the whole concept of point of sale was a merchant concept and now it’s really becoming a consumer concept. The point of sale is now wherever I have my cell phone or wherever I want to pay.
It’s a necessary evolution point, but payments innovation should not outpace payment security innovation. Otherwise, in that margin is where the hackers are going to attack. Merchants are having to secure all of their payment channels, and I would have to say that without technologies like P2PE and tokenization, which are transparent to the consumer, a lot of merchants might not adopt new payments innovations and security because of friction. Believe me, there are departments within businesses and organizations I speak with that say “Hey, we’d love to go ahead and offer mobile or extend the POS and do all these great new things to make life easier on us and our customers.” But what about security? You don’t want to slow down the checkout process and provide friction to the innovation because of security. That’s why we believe devaluing the data is the right approach where you can focus on security by focusing on the data itself. Which is completely transparent to the end customer.
And one thing I want to address is when folks are confused by having a chip in the card when it comes to security. The chip is actually an anti-counterfeit card measure, which basically says hey, this plastic card isn’t fake. So it actually protects the merchant from you presenting a fake card, but it does not protect you and your card data once you give it to the merchant. So that’s sort of something that folks physically see and feel more secure about their purchase. And that’s why these “unseen” technologies really are important.
Julie Bryant Fisher: Wow. What are the things that you’re thinking about in terms of opportunities for a company like Bluefin? What’s on the horizon?
Ruston Miles: One of our company’s fundamental underpinnings is that we secure sensitive data. We have to get this right because so many companies in the U.S. are moving slowly and you know, we look over into China and see payment methods like Alipay moving so quickly in adoption. When we look over here, why are things not happening as fast? Chip cards are a great example of this. Europe has had the chip for quite some time but they’ve also had a mandate. There’s a mandate by Visa in Europe that any new mobile point of sale device is required to have P2PE. It’s required to be there for any new imposed installation. That’s of course bringing Bluefin quite a bit of new business in Europe. While we are based in Atlanta, we serve a lot of different parts of the world, and part of it is because we have the technology to meet these types of mandates and initiatives in other countries.
And GDPR is another great example of other countries taking a hard-nosed initiative with data protection and privacy protection. The easiest way to see what’s going to happen in the U.S. is to look into Europe and see what’s happening with their payment and privacy initiatives. While we invented the credit card system here in the United States, we have always been sort of behind. Part of the reason is that this is a big country with quite a few different payment providers and retailers. The UK got chip probably 10 years or 12 years ahead of us on their cards. Bluefin was the first to offer P2PE in the United States but there were 3 UK providers already when we got validated. So we can just look over there and see that it is going mobile and the further it gets away from being a merchant concept, it needs to be secured even more so.
Julie Bryant Fisher: It’s amazing how important tech has become, and it’s obviously a great opportunity for a company like Bluefin and we’re so glad that you’re here in Atlanta and part of Georgia’s amazing technology ecosystem. Talk a little bit about why Bluefin is here in Atlanta and what you guys have planned next.
Ruston Miles: Atlanta is sort of the mecca for the payments ecosystem. I think some of that goes back to the Atlanta Fed; a lot of the original innovation just kind of came out of that particular area and they are still very involved. So I think that’s certainly why we are here and we want to be as close to the action as possible. We have offices in New York, Chicago, Tulsa and Waterford Ireland, so this gives us a footprint to service other locations. You know we’ve got 20,000 merchants or so, but some of our clients have as many as 40 or 50 thousand locations across the globe. So partnering with other companies that provide technology logistics payment processing to serve those customers is key to our strategy. They integrate to us to provide our security services to their customers. So what better place to be than right next door to all your partners.
Julie Bryant Fisher: That’s fantastic. People sometimes forget that Atlanta is Transaction Alley. So many of the payments transactions that go on globally flow right through Georgia. And it’s a perfect time for the FinTech space and a great way to plug in when you’re part of a great community an ecosystem that’s right around you. We’ve got loads of things going on at TAG this this year related to the FinTech industry of course. So to wrap up, what are the things that are exciting you, or what are the things that are keeping you up at night, as they always say?
Ruston Miles: Well as you can imagine, for any company, it’s how do you cross that chasm? We started off as an entrepreneurial style company and have been growing rapidly. We made it to number six on the Inc. 500 in 2012 and that was evidence we were experiencing rapid growth – being named the sixth fastest growing company in the country. And so that meant that through this period of rapid growth, we needed to focus on the things that we were skilled at, our unique innovations, and look to our partners for their expertise. And in our case, it is providing our P2PE solution through the platforms of over 100 partner processors, payment gateways and ISV’s.
What I always have on my mind is how can I make what we offer essential, and how can I be the evangelist for payment security? We’re constantly on the road and around the country spreading the word about encryption. It’s not always the most exciting topic and not everyone is as passionate about it as I am! So my job, and our company’s job, is to say hey, it doesn’t sound exciting but it’s absolutely vital. And so that’s where my mind has been over the last almost decade now.
And now finally, our message is shining through and what better place to do that than right from Atlanta. And we feel like we have the right message at the right time. So we’re just super excited.
Julie Bryant Fisher: That’s great. Well it’s always awesome to talk to a FinTech evangelist and great to speak to a dynamic and growing company like Bluefin, Ruston. Thanks so much for your time and today’s conversation.