In the wake of last month’s announcement of the Global Payments Inc. data breach, the timing seems right for processors to tighten security and accept any risk involved with hacking and fraud, a vendor tells ISO&Agent Weekly.
Processors also should encourage merchants to keep card data off their payment systems by providing security services in which merchants would receive only tokens, or a set of symbols related to the card data, after card authorizations, suggests Suni Munshani, CEO of Protegrity USA Inc.
Granted, the Stamford, Conn.-based data-security software provider that Munshani oversees specializes in tokenization software, but he stresses the time has come to change a payments industry business model that works against merchants.
“Fundamentally, it comes down to simple economics and the cost of doing business,” Munshani says.
Processors and the Payment Card Industry Security Standards Council inform merchants how they must operate and comply with PCI standards, but they don’t talk about the cost of doing business for the merchant, Munshani adds.
“The merchant who is barely making a living will turn around and say, ‘thanks for telling me about PCI, but there is no return on investment for me,’” Munshani contends. Those merchants seek ways around PCI compliance, he adds.
Even worse, merchants who follow all PCI guidelines, yet still experience a breach on their system or the processor’s system, will turn around and sue the processor, the PCI council and the card networks, Munshani suggests.
Because of that dynamic and the news about the Global Payments breach, Munshani senses the payments industry is prepared to “transfer the risk up the food chain” as processors accept more risk responsibility and keep data away from merchants.
“Tokenization will become a core service provided by the processor and offered to merchants, and in the next two to three years it will be all of the buzz in the marketplace,” Munshani predicts.
It won’t be long before the websites of payment processors shift focus from the general services provided to highlighting information on home pages about how they keep the merchant safe, he adds.
Processors and acquirers are likely to embrace tokenization more readily because of the Global Payments breach, but many already provide the service, Adil Moussa, a senior analyst at Aite Group, a Boston-based consulting and research company, tells ISO&Agent Weekly.
“Some are giving tokenization away as part of the service; others see it as a source of revenue,” Moussa says. For example, terminal makers view the offering of enhanced security services as a way to create recurring billing with a customer, he adds.
When the United States shifts to EMV smart card and Near Field Communication technology, the merchants will enjoy a liability shift anyway, Moussa suggests. “Expecting someone to offer tokenization and take the hit for any risk involved has a certain level of marketing spin to it,” he adds.
In his most recent research, Moussa says he discovered that processors and acquirers remain focused on equipment sales and signing up more merchants instead of viewing a liability shift as a sales opportunity.
Still, Munshani expects tokenization’s proven security record to stand taller with another processor breach in the background.
Though he is unaware of any instance in which hackers have solved a tokenization system, Munshani says he understands hackers can breach any security system if they spend a lot of time and resources in mounting attacks.
However, the majority of breaches occur with man-in-browser attacks or through Web applications and email, not from sophisticated groups mounting major attacks, he contends.
More often, data breaches result from careless employees leaving password or other important information out in the open, or a person in charge of access to a system getting lazy in monitoring the network, Munshani notes.