Company is the Only Validated Oracle E-Business Suite Integration for Payments

PHILADELPHIA (April 10, 2015) — CardConnect, a payment processing and technology services provider, announced that it will be attending COLLABORATE 15, an  Oracle User Group event offering the full spectrum of Oracle Applications and Technology education.

As the leading payment gateway and tokenization solution, CardConnect is the only validated Oracle E-Business Suite (EBS) integration for payments. Its patented solution provides the greatest reduction of Payment Card Industry (PCI) scope from mail order, telephone order and call center environments.

“An enormous amount of cardholder information has gotten into the wrong hands simply because businesses cannot protect raw card data,” said Rush Taggart, Chief Security Officer at CardConnect. “Thankfully, adoption is growing for technologies that help avoid catastrophic data breaches. Tokenization, coupled with point-to-point encryption and EMV, ensure that the most sensitive information remains protected. By seamlessly integrating with Oracle, our solutions create peace of mind for customers and businesses alike.”

CardConnect’s patented solution allows businesses that both accept credit cards and run Oracle to:

• Remove the burden of PCI compliance
• Eliminate the threat of a data breach
• Reduce interchange to the lowest possible level
• Automate reconciliation
• Seamlessly integrate all sales channels

Hosted by Oracle’s three largest user groups, COLLABORATE 15 takes place April 12-16 at Mandalay Bay Resort and Casino in Las Vegas. Visit CardConnect’s booth #1140 for more information, or visit the company’s website at www.cardconnect.com.

About CardConnect

CardConnect® is a rapidly growing payments technology company that provides solutions for companies that accept bank card transactions, store sensitive data and seek to push the boundaries of innovation.  Trusted by more than 50,000 businesses, ranging from Fortune 500 Companies to independent coffee shops, CardConnect’s proprietary gateway and API make payments simple, integrated (Oracle, SAP, JD Edwards) and secure. CardConnect’s patented payment security solutions use point-to-point encryption (P2PE) and tokenization to provide an unparalleled level of data breach protection and full escape form the burden of PCI compliance. For more information, visit cardconnect.com.

CardConnect is pleased to share that we were featured as one of SmartCEO’s Future 50 award winners for 2015! The Future 50 Awards recognize 50 fast-growing, mid-size companies in the region.

From SmartCEO:

Growth Credited to Transparency

As a leading provider of secure payment processing and technology services, CardConnect has seen rapid growth. President and CEO Jeff Shanahan credits this growth to a combination of strategic acquisitions and technological innovation. CardConnect expanded quickly by acquiring nine companies to increase scale, cash flow and geographic reach. Through its acquisition of Princeton Payment Solutions in 2012, and with it, the firm’s gateway and Fortune 500 clientele, CardConnect transitioned from reselling into providing its own payment technologies.

  

Quick Tip: “Even with a great education, there is still everything to learn.”

CardConnect was founded with a desire to repair the lack of transparency and trust prevalent throughout the payment processing industry. Merchants entrust their processor with sensitive customer payment information, and breaches undermine a processing company’s reputation. CardConnect takes that responsibility seriously. Recently, CardConnect has been awarded two patents for securing confidential information through tokenization. It was also awarded a contract for the Social Security Administration’s payment acceptance needs. In the next five years, as paying with a plastic card becomes antiquated, CardConnect will have a fuller product suite that allows any type of business, small or large, to use the most contemporary payment acceptance technology.

Learn more about SmartCEO’s Future 50 Awards.

By Samantha Drake

Photography by Mitro Hood

During the height of the December 2013 holiday shopping season, Target Corp. admitted a massive data breach had occurred, exposing the personal information of 40 million customers who had used their credit and debit cards at the retail chain.

Ultimately, Target found that the personal data of approximately 110 million customers had been compromised, which led to a nosedive in sales, scores of lawsuits against the retail giant, and state and federal investigations. A few months ago, Target’s CEO resigned.

The data breach didn’t surprise Jeff Shanahan at all. “We knew that was coming,” says Shanahan, 36, who took over as CEO of payment processor CardConnect in February 2014. “We knew there were many, many merchants out there that were taking peoples’ cards and not securing them from the minute they got them.”

Wake-up call

Huge data breaches tend to catch Shanahan’s attention because King of Prussia, PA-based CardConnect is in the business of making sure its clients’ in-person and online credit and debit card payment transactions are secure. Target’s was hardly the first big data breach, but it made CardConnect’s customers nervous enough to check in and make sure they were adequately protected, notes Shanahan.

“The Target thing was a wake-up call for our industry as a whole,” he says. In 2014 alone, Neiman Marcus Group Ltd., P.F. Chang’s China Bistro and Michaels craft store chains have all announced significant data breaches that compromised the information of millions of credit and debit card holders.

CardConnect’s goal is to ensure its customers don’t become a statistic in this disturbing trend. Its proprietary payment gateway and security products address the needs of merchants who accept credit and debit cards, as well as gift cards and loyalty cards. With more than 50,000 retail customers nationwide, ranging from the pizza place down the street to Fortune 500 companies, CardConnect processed $13.1 billion in card transactions in 2013, not including debit cards. The growing company brought in more than $349 million last year and has 125 employees, up from just 25 in 2010.

And along the way, Shanahan has made key strategic decisions that enabled the company to scale quickly by buying smaller, similar companies, and then focusing on obtaining technology CardConnect didn’t already have. At the same time, Shanahan drove CardConnect’s relocation from Ohio, led the company’s rebranding, and positioned the company to meet the latest security challenges.

Work and family

In 2006, a group of entrepreneurs, including Brian P. Shanahan, Jeff Shanahan’s oldest brother, formed the payment processing firm Financial Transaction Services LLC in Cleveland, OH. The founders picked Cleveland primarily because that’s where the company’s first president lived.

A few months later, at Brian Shanahan’s urging, Jeff Shanahan joined the new company as chief operating officer and relocated his family from Pennsylvania to Cleveland.

“I’d always thought about working with Brian before, but I didn’t think it would work too well being in the same office,” Shanahan admits, adding with a laugh. “We both have large personalities.” Fortunately, Brian Shanahan, who was CEO at the time and lives in Pittsburgh, left the day-to-day operations to his brother. “It actually worked out wonderfully,” Shanahan adds.

“It was time to pass the baton,” says Brian Shanahan, 43, a serial entrepreneur in the credit card processing space and now CardConnect’s non-executive chairman of the board. He notes that he and his brother think similarly and see high-profile breaches like Target’s as both vindication of CardConnect’s approach and an assessment opportunity. It’s a toss-up as to who calls the other first to talk about the latest data breach news, Brian Shanahan adds.

The two aren’t the only family members involved in the company. Their youngest brother, Patrick, joined CardConnect in 2008 and is now chief operating officer. In addition, their father, Jim, and another brother, Michael, are among the company’s more than 1,000 independent sales agents that resell CardConnect’s services. A fifth brother is a cardiologist in Pittsburgh. Naturally, at Shanahan family gatherings, the talk inevitably centers on work. “Fortunately or unfortunately, it always turns to business,” says Brian Shanahan.

On the move

The company remained in Cleveland for more than six years before relocating to the Philadelphia area. Shanahan says moving the company’s headquarters has been his biggest decision so far. “With all due respect to Cleveland, it was very hard to find new talent there,” he says. “I never felt like we could get to the next level there.”

Shanahan presented the move to the 30 employees in the Cleveland and Chicago offices as an opportunity to grow with the company. “We knew we had big things ahead,” he explains. He was pleasantly surprised when the Cleveland employees jumped at the chance, although the Chicago workforce was a harder sell. The company, renamed CardConnect, offered generous relocation packages to those who wanted to move, and separation packages to those who didn’t, says Shanahan.

The relocation cost CardConnect about $3 million, which was a big hit for the company in the short term but will pay off in the long run, Brian Shanahan points out.

King of Prussia’s suburban location outside of Philadelphia was a logical, affordable choice on the East Coast for the new headquarters, Shanahan says. CardConnect still has an office in Cleveland as well as offices in Boca Raton, FL, Kansas City, KS and Denver, CO. Shanahan and his wife, Tara, and their son and three daughters, ranging in age from one to nine years old, now live in Devon, PA.

Best buys

CardConnect’s strategy since its inception has been to grow quickly by buying other companies. Between 2006 and 2012, CardConnect bought nine companies around the country.

The acquisitions — one in 2006; two in 2007; one in 2009; one in 2011; and four in 2012 — brought scale to CardConnect and reversed its negative cash flow. “We were a small merchant service provider to a few thousand merchants back in 2006. Our first few acquisitions were done more out of necessity; we needed to get bigger quickly,” explains Shanahan. “Until you get to scale, you’re kind of always behind.”

Each new purchase brought a new salesforce and customers on board, enabling CardConnect to increase the number of transactions conducted, a key measurement in the industry, he points out. As CardConnect grew, its strategy became more selective as it began focusing more on technology and buying similar, small providers of merchant services, Shanahan says.

The purchase of Princeton Payment Solutions (PPS) in 2012 represented this focus and, because PPS is located in the Princeton, NJ, area, it also reinforced the decision to move the company headquarters to the East Coast, Shanahan explains. The deal boosted CardConnect’s customer list with customers including General Electric Co., and Adobe Systems Inc.

PPS brought CardConnect a tokenization process it had developed and patented for its Fortune 500 customers. Tokenization involves replacing sensitive payment data with a unique identifier known as a token, which renders cardholder data unreadable and therefore useless to hackers. According to CardConnect, combining tokenization with point-to-point encryption (P2PE) — where plain-text card data is converted into cipher text at the time of collection — offers the best protection against data theft.

Building a brand

“When I look back, most of our great decisions were made fairly quickly and based on our instincts,” notes Shanahan. “When you’re growing fast, nobody sits down with a playbook and scripts what you’re going to do with the company.”

Rebranding the business, for example, was a swift and intuitive process. In April 2013, Financial Transaction Services changed its name to reflect the company’s shift from working primarily with independent distributors to developing and selling its own products and services. Shanahan says he also wanted the new name to be the company’s URL.

Brainstorming sessions and consultations with a local public relations firm focused on what the new name should convey about the company and its business. “It boiled down to ‘we connect card transactions,’” says Shanahan. So the company settled on the name CardConnect, tested it out, and then ran with it.

Too much analysis and planning can undermine the decision-making process, says Shanahan, pointing out that, “the more you analyze things and the more you think about things, the more complex they get. Oftentimes the answer is sitting right in front of you.” He advises others to simply “go with your gut and don’t overcomplicate things.” Mistakes will be made along the way, of course, but your decision-making track record will improve over time, he adds.

Shanahan admits it was easier to make quick, instinctive moves when the organization was small because at that point, the decisions were made “out of survival.” In the early days, management knew the company had to get bigger fast, so they researched the best acquisition opportunities and then went out and bought those companies. CardConnect could afford to take risks because it had less to lose, he notes.

Shanahan is known for his ability to make quick, confident decisions, confirms Patrick Shanahan, 29, who became chief operating officer in 2011 after joining CardConnect to help manage a new acquisition. Buying another company is already a long process without spending months hashing out details, he says, noting that Jeff Shanahan knows what’s important and what’s not in closing a deal.

A rapidly growing business needs a leader who is “nimble and can change directions quickly,” Patrick Shanahan says. “Not everyone is cut out for it.”

Test, evaluate and pivot

As CardConnect grew, Jeff Shanahan says, he started taking a more analytic approach to decision making. “You don’t do things as fast as you did early on because you’re trying to do the ‘perfect’ acquisition or the ‘perfect’ deal,” he explains.

The company pivoted its business strategy in 2012 with the purchase of PPS. Until then, CardConnect primarily resold other companies’ processing services and payment gateways, which capture the credit card information and send it to the processor. In order to keep up with competitors, CardConnect began providing its own payment solutions through PPS. The new strategy gave CardConnect a foothold in payment gateways, which continue to be a dynamic, developing part of the payment processing industry.

Of course, not all decisions work out as planned. Shanahan acknowledges CardConnect overextended itself in 2012 when it bought four companies. As the company struggled to absorb its new assets while continuing day-to-day operations, it took a needed break from acquisitions in 2013.

“You have to pace yourself a bit. I think at certain times we tried to grow too fast,” says Shanahan. “As a result of doing too many acquisitions at once, we ended up with some problems.” There’s only so much time and so many people to manage the issues that come up, he notes.

Shanahan says the organization is now ready to jump back in and is scouting potential firms. “We are looking to buy,” he says.

A bright future

As CardConnect continues to create new security solutions for its customers, its biggest upcoming challenge is helping customers comply with certain security mandates by their 2015 deadlines.

U.S. merchants adhere to standards for protecting payment card data set by the Payment Card Industry (PCI). PCI is mandating the replacement of credit and debit cards that have a magnetic stripe on the back with cards embedded with EMV chips that encrypt the card’s information. “EMV” stands for Europay, MasterCard and Visa, the card issuers that first championed chip-based payment cards.

Europe and Canada got on board with the initiative right away, but the U.S. held off and is now playing catch-up with the rest of the world, says Shanahan. Merchants must now have EMV-compliant terminals to accept payment cards with EMV chips by October 2015 or face a shift in liability from the card issuer to the merchant.

Shanahan considers the move to be too little, too late. “The EMV thing is great, but implementing it after the fact doesn’t help much,” he says. Furthermore, “the cost of converting to EMV is a lot higher than it would have been 10 years ago.”

In advance of the deadline, CardConnect is partnering with payment solution provider Ingenico to offer customers EMV-compliant payment acceptance devices integrated with CardConnect’s encryption technology, says Shanahan. While CardConnect had no control over the timing of the migration to EMV cards, the company hopes to capitalize on the mandate by enticing customers to use point-to-point encryption as well.

A second 2015 deadline also looms. PCI is rolling out its latest Data Security Standard (DSS), known as PCI DSS 3.0, which governs the controls on sensitive data stored on credit, debit and other types of cards to reduce data breaches and fraud. Among other things, PCI DSS 3.0 will require merchants to be more vigilant about monitoring for security breaches. PCI DSS 3.0 is being phased in over time, but will officially take effect on July 1, 2015.

Once again, the stricter PCI DSS 3.0 standard is a reaction to breaches that have already happened, Shanahan points out. Still, CardConnect has its work cut out helping get customers on board with the new, costly requirements, particularly smaller merchants. “It’s hard to get a small pizza shop to get concerned about fraud or security,” he says.

Predictably, as a proactive decision maker in a reactive industry, Shanahan isn’t waiting for customers to ask for help with the new requirements. CardConnect is pushing EMV compliance while developing EMV-compliant terminals and other solutions as quickly as possible. If customers still need convincing, Shanahan can point to the Target data breach as a recent example of what can happen if a business isn’t prepared. CEO

Samantha Drake is a freelance writer based in Lansdowne, PA. Contact us at editorial@smartceo.com.

View the original post here or download a PDF of the magazine version.

CardConnect Mobile allows merchants access to all payments, inventory and reports from any mobile device

PHILADELPHIA (January 29, 2015) — CardConnect, one of the nation’s fastest-growing providers of payment processing services, announced the launch of CardConnect Mobile, an app that allows merchants to accept payments, edit receipts, manage inventory and view reports on their mobile device.

CardConnect Mobile is fully integrated with the CardConnect Gateway, which means each transaction is secured using patented encryption and tokenization. The integration also provides real-time reconciliation reporting, customer profile storage and transaction management – all accessible in CardConnect’s payments portal, the Merchant Center.

“By being fully integrated with our extensive line of payment technology products, CardConnect Mobile sets itself apart from other credit card processing smartphone apps,” said Patrick Shanahan, Chief Operating Officer at CardConnect. “We know that merchants are no longer sitting in one place while their payments come through – it’s all about omnichannel retailing. That’s why we secure and support all sales channels − from storefront and e-commerce, to events and call centers – and provide a single portal where all of these transactions can be properly managed.”

CardConnect Mobile includes a swipe device, allowing transactions to qualify for CardConnect’s low card-present processing rates. Its features include:

• Digital Signature Capture: Gives customers the ability to sign credit card receipts easily
• Barcode Scanner: Ring up items by taking a photo of the barcode
• Inventory Management: Instantly add, modify and delete items in inventory. Snap a photo of it to make checkout even simpler
• Receipt Customization: Add the company logo, social media accounts and custom messages to receipts. Receipts are digitally sent to the customer
• Offline Transactions: Take payments even when the network is down. Simply run the transaction as usual, then upload when the mobile device is back online
• Reduced Chargebacks: Collect CVV codes and ZIP codes in order to reduce the risk of fraud when manually entering card information

The app is available on iOS and Android devices. For more information about CardConnect Mobile, merchants can visit cardconnect.com/ccmobile.

About CardConnect

CardConnect is a leading provider of payment processing and technology services that helps more than 50,000 merchants nationwide – from Fortune 500 companies to small and mid-sized businesses – accept billions of dollars in card transactions each year. The company’s payment gateway and security solutions address the complex needs of merchants accepting credit, debit, check, gift card and loyalty transactions. For more information, visit www.cardconnect.com.

Your holiday shopping experience will be different next year — at least in how you pay. By October 2015, most retailers in the U.S. will have switched to accepting EMV (EMV stands for Europay, MasterCard and Visa, and is already a standard worldwide).

But EMV, which relies on a chip in a credit card instead of a magnetic strip, is not going to be the magic cure for stopping credit card fraud, experts say. It will tamp down some efforts by hackers, but fraud will still continue — just elsewhere.

Past Point-of-Sale Woes

Despite a common narrative that the adoption of EMV is a response to major retailer hacks like those at Home Depot, Target and Neiman Marcus, the EMV switch has been in the works for years.

In 2012, Visa, MasterCard, American Express and Discover set the Oct. 1, 2015, date as to when liability for fraud would shift from the credit card issuers to retailers if those retailers had not adopted EMV payment terminals (the only exception is pay-at-the-pump gas station terminals–that liability shifts in October 2017).

EMV cards most likely wouldn’t have prevented the recent spate of big hacks, but those hacks did have banks asking about EMV sooner than they might have otherwise.

“Although the Target breach had very little to do with counterfeit fraud, it was the catalyst for many of our clients to pick up the phone and say we want EMV now,” says Bob Legters, senior vice president for product at FIS, a banking and payment technology company.

“If you don’t do it, you will be one of the only guys who is not,” Legters says. “The fear would be if I’m the only guy on the street without bars on my windows, I’m going to be the guy who gets robbed.”

He says his clients are ramping up for next year and will wrap up issuing chip-enabled cards by September. Most will be sending out replacement cards with chips first, then reissuing to other customers even if their cards are not expired.

The only exceptions are clients that currently serve a globally minded customer base, like a pilot’s credit union FIS works for. The credit union has already gone to EMV because customers wanted chip-enabled cards that they would be able to use in Europe.

“It does create a global standard, and that is a good thing,” Legters says.

What Fraud EMV Stops — and Doesn’t

EMV goes miles to halt a very specific kind of fraud: counterfeit fraud. That’s when someone clones your card, and then uses a duplicate of your card to make purchases in your stead.

Right now, it’s easy to steal information from a credit card using a skimmer that reads data from the magnetic strip, which fraudsters use to creates a card with that information. It will be exceedingly difficult to do the same with a chip card.

EMV may also offer protections on what kind of data can be scooped up from a point-of-sale hack. “If EMV had been installed and everyone was using an EMV card, then that data that was stolen could not have been used as easily,” says Rush Taggart, chief security officer of CardConnect, a payment technology company.

But the technology will not stop fraud from card-not-present transactions (CNP), which leaves the entire ecommerce market wide open to fraud.

CNP fraud spiked in Europe and Australia after EMV was widely adopted. In the U.K. alone, CNP fraud was 157 percent more prevalent in 2012 than it was in 2001, making up 63 percent of credit card fraud losses that year versus 23 percent in 2001.

“It’s definitely an improvement, but it’s not the silver bullet for all credit card security because it doesn’t do anything for the ecommerce side,” says Taggart. “It doesn’t help because in a chip card, you still have your 16 digits printed on the front.” If hackers steal data about your card from a database, then they can use it online, whether they have a physical card or not.

Customers Up for Grabs

While some retailers have already installed EMV-ready terminals, the big push will come in 2015. If the transition to EMV does not go smoothly, consumers could look for payment alternatives, whether that’s with another card or with a different way to pay, like a mobile wallet.

“EMV is going to be disruptive to the market,” Legters says, because it’s a “change to the consumer experience, and any time you change the consumer experience, you put [customers] at play.”

Legters says that FIS has been stressing to its clients that they can’t just issue new chip-enabled cards; they need to inform their customers about what the new cards are and how they work. Otherwise, they could lose their customers to other credit card issuers.

The EMV switch could give a boost to payment mechanisms that don’t require you to have your card with you, like Google Wallet or Apple Pay.

“The wallet is going to be very dynamic for the next year,” Legters says.

View the original article

The Merchant Customer Exchange (MCX) is willing to use Near Field Communications technology like its rivals, its CEO said. MCX is a consortium of some of the country’s largest retailers that is setting up a mobile payments program that will stand as a rival to Apple (NASDAQ: AAPL) Pay, Softcard and other mobile payment offerings.

“We’re agnostic about technology,” MCX CEO Dekkers Davidson said during a press conference, according to TechCrunch. “We started with QR code-based technology that allows us to go to market broadly. If we need, we can pivot to NFC.”

MCX, which is launching a payment platform called CurrentC next year, held the press conference to address the uproar caused by drug store chains (and MCX members) CVS and Rite Aid, which stopped supporting Apple Pay as well as other payment methods that use NFC technology. Neither company had officially joined Apple Pay, but customers were able to use the service before it was disabled at the two chains last weekend.

Apple CEO Tim Cook called the developments a “skirmish.” He said this week that more than 1 million credit cards were activated on the Apple’s new Apple Pay service within 72 hours of its launch last week.

“I think there’s been a mistake made here, and that is focusing on the technology instead of what business or consumer problem you’re trying to solve,” Davidson told the New York Times.

He also noted that many in the industry had largely written off NFC for mobile payments until Apple finally decided to support it. “It’s ironic in a way that we’re talking about a really old technology being employed here,” he said. “Way before Apple Pay, merchants hadn’t enabled it or planned on using it.”

MCX plans to launch its mobile wallet, loyalty and offers platform under the CurrentC brand in 2015 at around 110,000 retail locations, including Walmart, Best Buy and Target. The app will use QR-code technology for transactions, essentially creating a scannable bar code. As Re/code notes, merchants are rallying behind CurrentC because it’s a payment method that won’t incur the credit card fees that retailers have to pay on each credit card transaction.

“CurrentC is built for retailers, to help them cut out interchange fees,” Nick Aceto, senior director at payment technology firm CardConnect, told Reuters. “It’s not a solution that will appeal to customers because it does not make their lives any easier.”

According to MCX, the app will make purchasing more seamless by applying qualifying offers and coupons, participating merchant rewards, loyalty programs and membership accounts, and then offering payment options through the consumer’s selected financial account, all with a single scan. Further, users’ payment information will be secured in the cloud rather than on the device, and the app will use a token placeholder to make transactions instead of constantly passing the data between the user, merchant and financial institution.

The New York Times had reported that CurrentC retailers would need to pay fines if they decide to use other mobile payment methods like Apple Pay. However, Davidson said “it’s simply not true, there are no fines.” MCX would not say though what happens if a partner breaches their contract. MCX merchants that choose to use MCX technology do so exclusively–meaning they can’t offer Apple Pay, Softcard or other services alongside CurrentC.

Meijer, a grocer that’s listed as a member on MCX’s site, said it won’t ban Apple Pay. When asked about whether that would disqualify Meijer from using CurrentC, MCX COO Scott Rankin did not definitively say so. “I think if they want to go forward and continue to accept Apple Pay, down the road at some point if they want to be a customer of MCX and roll out CurrentC and offer it to customers that’s great,” he told Re/code.

Yet Davidson said it was possible that in the future MCX could be used side by side with other payment systems. “In the future, that could be entirely possible…there will need to be two to three strong players in the ecosystem. One won’t simply build the market.”

Davidson also acknowledged that MCX’s email provider was hacked, though he wouldn’t disclose the name of the provider. He said the hack exposed fake zip codes and “some tester email addresses.” He added: “The CurrentC app itself was not affected. We own this and are taking it seriously.”

View the original article on FierceWireless.

How Tokenization Can be Used for Securing Payment Card Transactions and Data

Over the summer, representatives of the merchant community called upon all stakeholders in the payments industry to work together on establishing open and efficient standards to protect consumers and businesses in the United States against security threats.

The Food Marketing Institute, the Merchant Advisory Group, the National Grocers Association, the National Restaurant Association, the National Retail Federation, the National Association of Convenience Stores, and the Retail Industry Leaders Association believe that payment card and other sensitive personal information can be protected across commerce channels by adopting a universal tokenization standard. The organizations believe that this is a step that needs to be taken in order to mitigate identity theft and payment card fraud.

“Regardless of whether a consumer is paying at a brick and mortar checkout, at the pump, on the Internet, or even via a mobile phone, there is a need to ensure the payment data is protected. One way this can be done is through a technology called tokenization,” the organizations wrote in a joint statement issued July 28.

The U.S. Federal Reserve’s Mobile Payments Industry Workgroup (MPIW) has also discussed the advantages and the challenges of payment tokenization. A report released to the public in late September shows that the MPIW is concerned about the challenges posed by the development of common standards for tokenization, and the lack of consistent terminology. A new tokenization sub-group has been tasked with investigating the challenges.

American Express has also embraced tokenization. The company just launched a suite of solutions designed to protect online and mobile payments by replacing sensitive card information with tokens.

Tokenization is the process in which sensitive information is replaced with a randomly generated unique token or symbol. These tokens would ensure that data is not transmitted or stored in an unsecure format. However, for the use of tokenization to be efficient in the payments industry, a universal standard must be created to ensure that merchants can support the technology across multiple providers, and without negatively impacting customer experience.

Furthermore, the groups noted that tokenization can be the answer to securing not just payments, but other aspects of commerce as well, including the transmission and storage of electronic health records and age verification identity checks.

“This call stems from the fact the merchants are required to connect to services provided by the payment industry, and they cannot by themselves perform changes in the way these systems operate,” said Irene Abezgauz, VP of product management at Quotium. “The magnetic stripe technology is an old technology, over four decades old. A lot about the way we perform payments has changed, but this technology is still with us, and it’s weighing us back. The merchants need to comply and work with the interfaces they are given.”

Experts contacted by SecurityWeek agree that tokenization can be an efficient solution for security of credit and debit card data.

“Tokenization is a very useful solution that can protect cardholder data at many points in the transaction lifecycle, especially post-authorization and for recurring transactions once a card has been presented,” noted Rob Sadowski, director of Technology Solutions for RSA.

“Tokenization is a great solution that has been utilized for many years to mitigate the risks associated with payment processing for retailers of all types. One downfall to tokenization thus far has been the lack of a standard that everyone followed so this is a great step forward for consumer financial security,” said Mark Stanislav, security evangelist for Duo Security.

“Tokenization is the best currently available solution to significantly increase the security around payment card data without having to change anything on the cardholder end,” Gregory Nowak, principal research analyst with the Information Security Forum, toldSecurityWeek.

While tokenization can be an efficient solution, many have pointed out that it’s not enough to protect payment card data.

“[There] are no solver bullet solutions and protecting payment card data requires a comprehensive, layered approach. End-to-end encryption during the acceptance and authorization process as well as enhanced card and cardholder authentication technology in addition to tokenization also play an important role in card data protection,” Sadowski explained.

“It is best to view the security of payment card data as a series of layers that address different kinds of security threats.  Payment cards can be attacked on several fronts and no solution comprehensively addresses all of them,” said David Tushie, standards and technical representative at the International Card Manufacturers Association (ICMA).

The merchant groups that support the use of tokenization noted that criminals can steal payment card data where the card is swiped or a card number is entered, where card information is stored, and where card information is transmitted.

However, of these three vulnerability points, tokenization fully addresses only the second point, storage, and partially addresses the third point, transmission, explained Raymond Côté, president of Auric Systems International, a company that provides payment processing solutions.

“The press release is also unclear as to what is meant by ‘supported by all networks, brands and payment types.’ Does this imply a tokenized card could be submitted to multiple payment processors? If so, that would turn the token itself into a valuable commodity — an unfavorable outcome. The value of tokenization is that the token itself is valueless,” Côté told SecurityWeek. “One concern in regards to an industry standard for tokenization is that it could result in a monoculture with a single interface into tokenization services. Security exploits propagate quickly within monoculture environments.”

Advantages of tokenization

The obvious advantage of tokenization is that it preserves the value of cardholder data for merchants and service providers, while making it useless to criminals if it is compromised or stolen, Sadowski said.

“Tokenization dramatically lowers the likelihood of a credit card breach impacting them when a retailer is compromised. By representing their credit card details with a token instead, a breach of one retailer won’t require a replacement card to be issued,” Stanislav explained.

Rush Taggart, chief security officer at payment processing firm CardConnect, believes that tokenization offers better protection even than high quality encryption because the latter can be broken if the attacker obtains the encryption keys or if they have access to enough computing power.

On the other hand, tokenization doesn’t rely on encryption keys so organizations don’t have to worry about managing such sensitive data. Tokenization offers a higher level of security as long as the tokenization system is logically isolated and segmented from data processing systems and applications that process or store the sensitive data replaced by tokens.

“Another advantage of tokenization is that it can be applied to all types of sensitive data, not just credit and debit card numbers. Its capabilities include Social Security numbers, drivers’ license numbers, electronic health records, prescriptions, and even addresses – all personal information that should be properly protected,” Taggart told SecurityWeek.

Another advantage, pointed out by Nowak, is that tokenization can reduce the scope of systems for which PCI DSS compliance needs to be demonstrated. “Correctly implemented, it can both improve security and lessen the compliance burden,” he explained.

Taggart has noted that many large and small merchants in the U.S. have already implemented tokenization to radically reduce their PCI scope.

“Maintaining PCI DSS compliance across thousands of machines or more is extremely costly. Maintaining PCI DSS compliance for a small number of systems running the tokenization service is quite manageable. Utilizing a Visa-approved tokenization service provider can reduce PCI DSS compliance to just a few questions,” Taggart explained.

Disadvantages of Tokenization

As with all technologies, tokenization has some disadvantages. One of them, as pointed out by Sadowski, is that the most secure implementations require that the original card number be presented for tokenization. This means that the tokenization solution must have a way to protect the original cardholder data before it is tokenized. Furthermore, the centralized token vault in which the original payment card data is stored becomes an attractive target for criminals.

Another issue, according to Tushie, is related to infrastructure.

“Tokens must be created for each merchant and card account.  When a transaction flows through the Merchant and Acquirer processing systems, these account tokens must be de-tokenized so that the Issuer can approve the transaction for a known card account. Transaction settlement messages must be tokenized for Merchant and Acquirer systems,” said Tushie. “This requires new infrastructure of trusted third parties in the transaction flow to tokenize and de-tokenize card accounts in these transactions.  While this is not seen as a huge technological hurdle to overcome, it likely will add cost to the transaction fees for these third party services.”

Côté believes one of the disadvantages is that using payment processor specific tokenization, for instance, locks organizations into a particular payment processor. That’s why the tokenization service should support multiple payment processors or it should be payment processor agnostic. Other issues highlighted by the expert are the potentially negative impact on the speed of transactions, and the fact that data analysis can’t be performed on tokenized data since “good” tokens do not allow the initial data to be reconstituted just from the token itself.

“The only disadvantage I currently see is the recent watering down of what qualifies as a token. When we first developed our tokenization solution, about eight years ago, only random number strings with no value could be considered tokens,” said Taggart. “Now, there are things known as ‘cryptographically reversible’ tokens, which just seem to be created with a high-level of encryption – there is the risk the code could be cracked. The question remains how a business can receive an honest answer as to what type of tokenization a payment provider uses.”

“One of the concerns is replaying – we need to be sure that our token cannot be replayed or reused, because if it can – attackers will just use this token instead of the actual data and achieve the same criminal goals,” said Abezgauz.

Addressing the challenges

One of the challenges that must be addressed in implementing tokenization is that existing applications and infrastructure might have to be retrofitted or built from the ground up to accommodate the change, said Stanislav.

Tushie noted that secure financial payment cards, by their nature, must be interoperable in international interchange.  For example, a card issued in the United States must work at point-of-sale terminals in Singapore or Paris, and vice versa. This means that international standards addressing the card technology as well as the processing systems in which they work must be developed and agreed upon. However, the expert has pointed out that technology frameworks for tokenization have already been proposed by international standards organizations and EMVco, which manages, maintains and enhances the EMV integrated circuit card specifications for chip-based payment cards and acceptance devices.

“With strong industry backing, clear guidelines, and well devised reference implementations, tokenization will have the best chance to succeed in a timely manner. With consideration for keeping backwards compatibility with the primary account number (PAN), organizations would be more likely to adopt tokenization more quickly if there were fewer technical hurdles in their way,” said Stanislav

On the other hand, Côté highlights that in many cases the barrier to implementation is not technical, but institutional.

“Corporate reluctance to mandate proper security and privacy (whether PCI, HIPAA, or regional security standards) handling of their data is the largest challenge,” he noted.

According to Abezgauz, the balance is between the tokens not being replayable, and usability/scalability.

“Do we provide a new token to the user every time? How do we manage these tokens? We need to make sure we can easily connect the real payment information to the token. For smaller organizations this can be doable, but it’s not trivial when looking at massive scale,” she noted.

“One solution is providing means to do a challenge/response mechanism that will ensure that the user information never leaves the user possession. One example is the end-to-end encryption solution suggested by Visa. They released recommendations for doing end-to-end encryption to protect user data,” Abezgauz added. “When we talk about user payments though, how do we extend this from POS to online purchases where users want to be able to perform purchases using their payment card from different devices – mobile devices, laptops and more. Currently users are not supplied with card readers. It can be one option for a solution though.”

Conclusions

Some experts estimate that it would take several years to adopt tokenization on a wide scale. Abezgauz argues that tokenization on a wide scale is not trivial. “I do not see it happening in the near future. I am also not sure that eventually tokenization will prevail over end-to-end encryption solutions,” she said.

Taggart is more optimistic and points out that the recent data breaches have led to a surge in interest in these technologies.

“There are so many variables here that it is hard to say. If there was a dedicated effort to implement tokenization into all payment channels and tokenize all legacy cardholder information in software systems, I would say a lot could be done within the next six months to one year,” he said.

“Tokenization is the pinnacle of data protection technologies. The physical and logical separation of payment and privacy information significantly reduces a company’s exposure to information theft. Well-tested, reliable, and flexible tokenization services are available today; there is no technical reason to delay implementation,” said Côté.

Rick Ricker, VP of enterprise payment solutions at 3Delta Systems, a provider of payment and data tokenization services that specializes in card-not-present tokenization, says his company is pleased that the merchant community is recognizing tokenization as a valid technique for protecting customer data.

“Tokenization has gotten a fair bit of attention lately with efforts by the Clearing House and EMV (the card brands) touting solutions for transactional tokens.  The proposal to have ANSI x.9 create the standard to make it open is an interesting twist, of course the merchants have an interest in an open system that will have low cost,” Ricker said. “Overlooked in these recent announcements about new standard proposals is that currently there are several hundred thousand merchants that have already adopted tokenization offered by 3Delta and other gateways, as well as the processor community.  These solutions have tokenized and protected millions of credit cards.  Any merchant desiring a tokenization solution today can choose and implement today without waiting for a new standard.”

Nowak says tokenization is not a magic bullet, and organizations should only implement it after they’ve properly assessed the risks and benefits.

“Its primary benefit is to reduce the number of merchant systems on which cardholder data resides, thus reducing the PCI DSS compliance burden, and hopefully reducing risk of data loss as well.  Any organization considering implementing tokenization should do so only if their risk assessments have determined that, of all the major security initiatives they could undertake, this was the one that would have the most significant positive impact,” he explained.

Stanislav believes that the efforts to standardize tokenization are a great step forward and one that, much like EMV adoption in the United States, is well past due.

“The fight now will be to get a single standard created to reduce fragmentation of usage and also retrofit, as needed, fronted and backend systems to utilize the adopted standard when it’s ready,” said Stanislav.

View the original article on SecurityWeek

Oct 29 (Reuters) – Suddenly it’s Apple versus Wal-Mart in the fight for shoppers’ digital wallets.

With the development of a new mobile payment system, a group of retailers led by Wal-Mart Stores is aiming to upend the $4.5 trillion credit card market and control the precious transaction data generated at the checkout line.

The difficulty of the task became clear this week when drugstore chains CVS Health Corp and Rite Aid, in a move apparently aimed at shoring up the retailers’ pay system, stopped accepting payments on Apple Inc’s iPhones. That prompted consumers to complain that they were being denied a user-friendly payment option.

The “skirmish,” as Apple CEO Tim Cook put it this week, is the latest dispute to emerge from the Byzantine world of payment systems, which is dominated by banks and credit card firms.

Many payment experts said they are skeptical that the retailer-backed system, known as CurrentC, can gain traction, let alone thwart Apple Pay, a payment system launched by the iPhone maker last week. CurrentC is set to go live in 2015.

The retailers’ main objective appears to be to push credit card companies out of the payment equation, or at least get them to lower their costs.

“CurrentC is built for retailers, to help them cut out interchange fees,” said Nick Aceto, senior director at payment technology firm CardConnect, referring to the fees paid by retailers to credit card companies when a shopper makes a purchase. “It’s not a solution that will appeal to customers because it does not make their lives any easier.”

That’s not stopping the retailers from trying, and their consortium, the Merchant Customer Exchange (MCX), has clout, with $1 trillion in annual sales. In addition to Wal-Mart, its members include Best Buy Co and Target Corp.

MCX officials said CurrentC will work on any phone, integrating loyalty programs and payments into one transaction. While the group’s focus is helping consumers, they said, it hopes to shake up the payment system.

“MCX and the merchants that founded MCX are challenging … an entrenched, very large status quo, a $500 billion ecosystem on the payments side,” Chief Executive Dekkers Davidson said on a conference call Wednesday.

Davidson said MCX has made arrangements with two credit card companies and wants to partner with large issuers. But he did not say whether MCX would be willing to work with the likes of Visa Inc and Mastercard Inc and pay them conventional rates on interchange fees. Eventually, he said, “We expect that all cards will be welcome at CurrentC.”

Wal-Mart, which has made little secret of its disdain for paying processing charges, is suing Visa for $5 billion for what it says are excessive card swipe fees.

Credit card firms typically charge 2 percent to 3 percent of the value of each transaction. Retailers paid $66 billion in credit-card-related fees in 2013, out of $4.5 trillion in spending tied to major U.S. cards, according to the Nilson Report.

In contrast to Apple Pay, which encrypts payment data and keeps it out of the hands of retailers, CurrentC connects directly to a customer’s bank account. It will allow retailers to glean valuable data on spending patterns, which they can use to better target advertising and drive loyalty programs.

There would be no pooling of data across retailers, Davidson said, and shoppers can opt to remain anonymous. “Consumers will determine how they are marketed to or not marketed to,” he said.

MCX says CurrentC will be secure, an assertion that was tested on Wednesday when the group confirmed that hackers had obtained the e-mail addresses of some participants in a pilot program.

While Wal-Mart has said it has no plans to support Apple Pay, its rival Target is taking a more nuanced approach. Target has said it plans to use MCX for in-store checkout but is allowing Apple Pay for online purchases through its mobile app. Target is featured on the Apple Pay website.

MCX members have made up-front payments of $200,000 to $500,000 to join the group and signed multiyear agreements, according to people familiar with contract terms.

MCX said on Wednesday that when retailers join the consortium they do so on an exclusive basis, but there are no fines if they leave the group.

Walgreen Co, a rival to CVS and Rite Aid, said it decided to offer Apple Pay to give its customers more options.

“It is ultimately about providing the choice to customers because no one really knows how this space will evolve,” said Deepika Pandey, head of digital marketing at the pharmacy.

View the original article here.

LAS VEGAS, Oct. 31, 2014 — CardConnect, a fast-growing provider of payment processing and technology services, will be showcasing the latest development of its enterprise payment security suite at Money20/20, the leading global event for innovations in money.

Through the advancement of a multi-patented tokenization solution, a partnership with Ingenico®, and the development of native integrations in ERPs like Oracle® and SAP®, CardConnect offers an enterprise payment security suite that removes the operational and regulatory burden of handling raw cardholder data.

Encrypting and tokenizing payment information at the immediate point of entry protects an organization from losing cardholder data in the event of a data breach. This payment security method can be implemented into any sales channel, such as retail, e-commerce, mobile, call centers, and ERP software applications.

Point-to-point encryption (P2PE) and tokenization of all sales channels – which is offered through CardConnect’s enterprise payment security suite – drastically reduces an organization’s compliance efforts related to the Payment Card Industry Data Security Standard (PCI DSS). Organizations currently engaging in Version 3.0 of the PCI DSS Self-Assessment Questionnaire, can transition from a SAQ D to a SAQ A, eliminate the need for a full audit by a Qualified Security Assessor (QSA), and minimize other PCI-related overhead.

For more information, attendees of Money20/20 can schedule individual meetings with CardConnect or visit Booth #1325 during exhibition hall hours.

About CardConnect

CardConnect is a leading provider of payment processing and technology services that helps more than 50,000 merchants across the U.S. – from Fortune 500 companies to small and mid-sized businesses – accept billions of dollars in card transactions each year. The company’s patented tokenization, gateway and hardware solutions make payment acceptance simple, integrated and secure. Founded in 2006, CardConnect is one of the 10 largest independent sales organizations (ISOs) of First Data Merchant Services, the world’s largest electronic payment processor. For more information, visit cardconnect.com.