The data security risk that accompanies the growth of electronic commerce can be met by surgical removal of the data itself, Chase Paymentech says.
"Wouldn't it be good if the merchant in a checkout experience could keep his or her hands off of the payment details so they didn't have to worry about security?" says Shane Fitzpatrick, president and managing director of Chase Paymentech Europe, the European arm of JPMorgan Chase's payment processing business.
Chase Paymentech offers a service in Europe called the Dynamic Hosted Payments Page, which allows merchants to submit a digital payment transaction without storing, processing or transmitting cardholder payment data. Shoppers are instead redirected to Chase Paymentech for processing.
"We looked at the challenges around processing payments for merchants regarding the risk of data compromise," Fitzpatrick says. "If you are in the business of selling hotel rooms or downloading digital products, you should be able to do that without the added headache of data protection."
Chase Paymentech Europe is providing security, but also giving merchants the ability to customize their checkout page.
"Merchants want to own the customer experience," Fitzpatrick says. "It's important for them to have control over the dynamics of the page. So they outsource the payment information security and PCI compliance, while the touch and feel of the graphics on the checkout page is in control of the merchant."
There are some security risks to the model, though they exist on the webhost's side more than the merchant side, says Al Pascual, a senior analyst at Javelin Strategy and Research. "If the merchant's web site is not designed securely, the hacker can direct the consumer to a different page to capture the transaction information and additional data," says Pascual.
In the card-not-present environment, Chase Paymentech uses the hosted payments page and tokenization to protect data.
Chase Paymentech is targeting the European market for security outsourcing at a time when large crimes involving payment cards are making headlines. Authorities in the U.S., Vietnam, and the U.K. have made arrests and are pursuing suspects connected to a $200 million card theft ring and Microsoft separately helped shut down the technology used to facilitate $500 million in fraud. These incidents came to light just a few weeks after arrests were made in an unrelated $45 million prepaid card data breach.
In such a risky environment, Chase Paymentech's reputation works to its advantage. "Chase Paymentech is huge, not just online but in the physical world as well. This a brand merchants can trust," Pascual says.
First Data, another large processor, uses what it calls a multi-pay token to shield data. A payment transaction is tokenized when the consumer's personal account number (PAN) is sent to a server and, after authorization, a random token number is generated and returned to the merchant's system for use in place of the PAN.
The token can be used to reference the stored account data for alter transactions.
Many businesses could consider processor-driven data security methods, Pascual says.
"Criminals want card data more than any other type of data," he says. "The crooks have commoditized those card numbers. That is something that should be a top of mind concern for any merchant that is handling payments data, especially now."