Outsourced payment card services to take off by 2015

Retailers struggling to manage mounting credit card information will turn to third-party secure payment services such as tokenization and encryption in next five years, according to RSA.

Retailers are buckling under the strain of having to store, manage and locate key customer account information as well as remain compliant with industry standards. In order to manage their credit card data security, a new RSA study suggests that companies look at secure payment services such as data encryption and tokenization.

The report released Thursday painted the backdrop of the retail industry, as one with merchants having to face increasing challenges such as expanding IT demands, particularly when it comes to maintaining credit card data.

Other key concerns mentioned were the rising and more expensive PCI DSS (Payment Card Industry Data Security Standards) requirements and the increasing number and sophistication of cybercriminals in the market.

According to the Verizon 2009 Data Breach Investigations Report, which was cited in the RSA report, 285 million payment card records were breached in 2008. Furthermore, another survey by LexisNexis found that retailers lost US$100 billion from fraudulent transactions and from fees and interest costs associated with charge-backs in 2009. The other losers were banks, which lost US$11 billion, and consumers suffering losses amounting to US$4.8 billion from fraud.

To combat online fraud and still be able to manage spiraling maintenance costs, the RSA study suggested retailers look at a form of outsourced service arrangement, which it called the "secure payment services" model.

Through this method, retailers can hand over the responsibility of safeguarding credit card information to third-party service providers, thus improving electronic card data security while saving on time, operational complexity and the cost of achieving PCI compliance, the study said.

"As merchant responsibilities associated with storing payment card data continue to increase, these new centralized repositories [operated by third-party vendors] allow retailers to preserve all the marketing and operational advantages of tracking card information while transferring a large portion of the risk by removing the card numbers from the retailers' card environments," said Craig Tieken, vice president of merchant product management at merchant processing services company First Data, in a media statement.

He went on to predict that many merchants will move to this outsourced services model by 2015, and that this shift will create a new industry standard for securely processing credit, debt and other payment card transactions.

Changing face of data security
Likening the current process of safeguarding data to protecting a VIP (very important person) in a crowd, the study said that companies tend to just create a defensive perimeter around designated databases and limiting people's access to the information stored in them.

However, the problem with this method is that sensitive card data "often escapes from retailers' secure payment processing systems" into non-payment business applications such as CRM or ERP, the report noted.

To prevent such data leaks, encryption was one of the additional methods recommended in the RSA report to prevent cybercriminals from siphoning off important customer data.

This security method keeps data safe by applying an algorithm or series of mathematical operations to render the data unreadable to anyone without the proper decryption key. This means that even if the information is stolen, the thieves will not be able to use the data.

The other measure was to employ tokens, which the report described as "a process in which a random number generator creates strings of characters, or tokens, that can be used in lieu of more valuable data".

The report went on to explain that in such a tokenized IT environment, tokens and the credit card information they represent can only be matched and decrypted in a centralized, secure database, known as the "codebook".

"Tokenization has emerged as one of the most promising data security technologies for the payment processing space. We've seen very strong interest in the merchant community…even among companies that are PCI-compliant," the report stated.

"[This is because] merchants view tokenization as an effective way to reduce their PCI scope, as well as counter the mounting costs of PCI compliance."

The banking sector has been one of the first industries to embrace tokens, especially as an authentication tool for online banking.

For instance, the Monetary Authority of Singapore (MAS) had issued an advisory back in 2006 for banks to implement two-factor authentication (2FA) for online transactions, and the process can be conducted via both hardware and software tokens.

Sam Curry, chief technologist at RSA, the security arm of EMC, and one of the authors of the report, added: "Just as bank accounts insured by the FDIC (the U.S.-based Federal Deposit Insurance Corporation) provided a better way for people to save cash than stashing it inside their mattresses, this new generation of outsourced secure payment card services will provide a way for merchants to track and use payment card data that is vastly superior to keeping actual card numbers within the enterprise."

The report also expects many companies to offer such secure payment services within "the next two years" and the first ones on the scene will most likely be companies with experienced in securing electronic payment card data, such as gateways, payment processors or card associations.