The U.S. migration to EMV chip cards has been rough, according to U.K.-based Creditcall, which hopes its new certification from First Data can smooth things out.
Specifically, Creditcall wants to use its 10-plus years of EMV and data security experience to help the hospitality industry, which hackers are starting to see as an easier target, the company says. The restaurant chain Wendy's is among the most recent to deal with a suspected breach as fraudulent charges from cards used legitimately at their restaurants began surfacing.
Hotels, restaurants and other hospitality businesses need to support EMV, point-to-point encryption and tokenization to protect against hackers, said Jeremy Gumbley, Creditcall's chief technology and security officer.
Behind First Data's Rapid Connect platform, Creditcall can now pre-certify merchants using Ingenico terminals to introduce and incorporate EMV, encryption and tokenization through its plug-and-play Chip DNA software.
The complexity of the EMV certification process, for which each card brand has different requirements, has created a time-consuming task for processors that were not scaled to handle the workflow, Gumbley said.
"We have a portfolio of five certifications now for a whole line of products with different processes, as there is a lot of complexity out there," Gumbley said.
Any new push for better security in hospitality is welcome news for the payments industry.
"The hospitality industry has been a favorite target of hackers for years," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
Reports from security vendor and researcher Trustwave continue to indicate that the majority of breaches still occur because of basic failures such as not resetting an administrator password in the point of sale software or in remote access to systems, Conroy said.
"A lot of these take place in the hospitality space," she added.
Hotels represent a unique challenge because they keep the guest's card account data in the system for the duration of the stay, then charge the customer at the end of that stay.
Such a practice creates "multiple points of exposure for the unencrypted personal account number," Conroy said.
In its experience, Creditcall has observed large hotel chains or quick-service restaurants operating "with an enormous attack surface area" for hackers, Gumbley said.
"A typical hotel chain that has grown through acquisitions may have as many as seven different brands acquired over several years and all of those systems will require different management infrastructure security," Gumbley said.
This environment results in a "huge sprawling space of devices and POS terminals with different levels of legacy and non-legacy equipment," he added.
That type of challenge is at the core of why Creditcall promotes point-to-point encryption.
"We are big fans of encryption because it very elegantly solves this problem," Gumbley said. "You don't need to rely on an updated POS or a protected back end when you have encryption from the time data leaves a PIN pad and goes through a hotel network securely."
A cryptographic key to protect data that even the merchant does not know works best in a system patched with different platforms, Gumbley added.
As with any merchant or industry sector showing reluctance to take on the EMV upgrade costs or go through the certification process, fraud trends could lead many companies to change their views.
"We’ve also seen hospitality slower to upgrade to EMV, thinking that they are not prime targets for counterfeit cards," Aite's Conroy said. "I think with the first round of chargebacks they’re seeing that, while they’re not prime targets, they’re by no means immune."