With restaurants accounting for nearly 35% of Heartland Payment Systems Inc.’s merchant base, the payment processor thought it appropriate to introduce its advanced payment-encryption technology this week at the National Restaurant Association’s show in Chicago.
After more than two years of development, the E3-branded technology encrypts transaction information from the time a payment card is swiped until the data reach Heartland’s processing network. The technology also eliminates the possibility of merchants retaining sensitive cardholder data because the information is encrypted at the point of sale, the Princeton, N.J.-based processor says.
The technology requires a Heartland-developed terminal or a card reader that merchants may attach to their existing POS systems. The terminal could sell for as low as $300 and the reader for as low as $75, Steve Elefant, Heartland chief information officer, tells ISO&Agent Weekly.
Merchants will not pay additional monthly or per-transaction fees for the service, Elefant says. Merchants also will see no changes in processing times, which range from three to five seconds for terminals using a broadband connection, he says, noting E3’s goal is to get merchants out of the business of protecting stored card data.
The E3 service should make it simpler for smaller merchants–the payment processor says it had 173,400 active small and midsize merchants as of Dec. 31–to comply and stay compliant with the Payment Card Industry data-security standards, says George Peabody, director of the emerging technologies advisory service at Mercator Advisory Group Inc., a Maynard, Mass.-based consultancy Peabody says. The absence of sensitive cardholder data often simplifies merchants’ ability to respond to PCI self-assessment questionnaires.
Merchants also face less risk because the E3 system prevents them from storing card data onsite, Elefant says. Instead, Heartland stored the encrypted information.
Heartland’s own data breach led the processor to seek better encryption of payments data. It also prompted others to offer similarly advanced security services to merchants.
For example, VeriFone Systems Inc., a San Jose, Calif.-based POS-device maker, uses advanced encryption in its VeriShield Protect services.
Heartland and VeriFone had been working on Heartland’s self-branded E3 terminal, but the relationship soured and two companies eventually sued each other over per-transaction fees Heartland says VeriFone allegedly wanted to assess. Heartland subsequently formed a partnership with Uniform Industrial Corp., a Taiwan-based POS-device maker that manufactures the E3 terminal, Peabody says.
Peabody is not concerned about the absence of a single industry encryption standard.
“Any movement toward a standard will take years,” he says. “Standards development is about competing interests trying to find a common way, and that takes time.”
All of these differing security choices coming to market are not impediments, especially for the smallest merchants, which do not have to contend with integrating thousands of locations as larger retailers do, Peabody says.
The E3 system is available now for any merchant, says Heartland, which will reimburse a merchant’s breach-related fines if the device fails to prevent an unauthorized decryption of cardholder data.
From the May 27, 2010, issue of ISO&Agent Weekly.