My old firm, First Data, have teamed up with RSA, the security division of EMC (NYSE: EMC) to provide a new service called First Data Secure Transaction Management which is engineered to enable merchants to secure payment card data and remove it from their environment while allowing access when needed.
Regular readers of the hot aisle will know that Data Leakage is a hot topic for me and I have written extensively about the issue. This product actually looks like it might make a difference.
For once personally identifiable data is being protected at source – the 16 digit BIN and other cardholder data is encrypted until it hits the highly secure First Data authorization network (armed guards, razor wire, and other stuff I won’t tell you about).
The alternative to Secure Transaction Management is that this data lies around on hundreds of thousands of retail merchants systems and although each and every one tries hard to avoid losing our data, in the end, it’s just a numbers game and data leakeage is inevitable.
Here is the main text of the press release:
The new First Data Secure Transaction Management service, offered exclusively by First Data and powered by RSA SafeProxy™ technology, will dramatically reduce the cost and complexity of complying with the Payment Card Industry Data Security Standard (PCI DSS).
By using First Data Secure Transaction Management, payment card data is encrypted at the time it is captured by the merchant’s existing Point of Sale application and remains encrypted until it is securely delivered to the First Data authorization switch where decryption occurs. Once authorized through the switch, the cardholder number is replaced by a “token” value that cannot be linked back to the original card data, but otherwise behaves like a card number. This enables the merchant to eliminate card numbers from various business applications without the need for costly application or point-of-sale hardware modifications. When needed, merchants can access the original number through a secure vault that First Data maintains for controlled authorized look-ups. This outsourced service helps merchants to reduce the risks associated with the loss of cardholder data, avoid fines, and help prevent the loss of brand equity and trust.
“The increasing need for data protection and the growing complexity of PCI DSS compliance are driving merchants to evolve their business strategies for securing customers’ sensitive information,” said Robert Vamosi, security/risk & fraud analyst for Javelin Strategy & Research. “Organizations that can employ a layered approach to data security, one that capitalizes on the inherent advantages of encryption, tokenization and other technologies, will be well positioned to protect card data and reduce the scope of PCI compliance.”
First Data Secure Transaction Management is powered by RSA SafeProxy technology, which employs a unique combination of tokenization, advanced encryption and public-key technologies, that are engineered to provide merchants with the capability to eliminate credit card data from their environments without loss of business functionality or massive rewrites of applications.
“Payment card data protection and demonstrating compliance with the PCI DSS are some of the most significant challenges that our merchant customers face today. There are many complexities as well as IT controls required to meet the standard which can present headaches, distractions and added costs,” said Michael Capellas, chairman and chief executive officer of First Data. “The simplicity of First Data Secure Transaction Management will change the game for both eCommerce and Brick-and-Mortar merchants in how they manage and protect their customers’ card data; safeguard hard-earned brand equity and ultimately protect their business.”
“To comply with the PCI DSS and reduce risk, organizations need security controls built into their infrastructure, and not bolted on,” said Art Coviello, executive vice president, EMC Corporation and president, RSA, The Security Division of EMC. “Rather than addressing security risks by deploying disparate point controls throughout their infrastructure, First Data Secure Transaction Management provides organizations with a simplified and scalable solution that helps radically reduce management complexity and costs.”