Providing security to block cybercriminals determined to steal payment data represents a complex task involving software applications and connections throughout a network.
But data-security services don’t have to represent a complex process for a merchant or health care provider to incorporate and use in a payments network.
Calling Hewlett Packard Co.’s new Secure Payment Services software “a very secure black box,” Mark Boelens, general manager of HP Enterprise Services’ Global Financial Services, says development of the software-as-a-service had to result in a simple process for clients.
The best way for HP to emphasize simplicity for merchants was to create tools in the new service that would keep payment and personal data out of the client payment networks without the client having to do anything differently, he tells PaymentsSource.
In addition, clearing data from the client’s payment network reduces, and simplifies, Payment Card Industry data security standards compliance costs and testing, Boelens adds.
“Secure Payment Services represents a new offering to our clients, but it is also somewhat of an upgrade from what we offered in the past,” Boelens says.
That upgrade comes in the form of tokenization of the payment data eventually sent back to the merchant, while the card data remain stored in an HP data center, Boelens notes. In addition, the upgrade includes creation of a secure payments page for the clients, and connections to any payment processor for data-routing.
“We piloted use of tokenization of data last year with transportation-industry clients and in the mobile-payments space,” Boelens says.
With the March 19 announcement of Secure Payment Services, Palo Alto, Calif.-based HP now offers tokenization as part of the service for large merchants, health care, transportation or government clients who conduct online business, he adds.
Hewlett Packard designed Secure Payment Services to protect data on the payment pages of websites, not for payments accepted at a point-of-sale terminal, Boelens says. However, besides protecting an online merchant, the software also provides tokenization on a website for a department of a health agency using the payment page to accept payments and input personal data from patients, he adds.
Susan Stone, HP solution manager for secure payment services, says the consumer on the merchant-branded Secure Payment Services website payment page would not realize that page operates off an HP server.
“When the consumer is ready to check out on the merchant-payment page, the credit card information is entered onto the Hewlett server,” Stone says.
The HP software sends the data to the proper payment scheme issuer for authorization, she adds. After the issuer authorizes the payment, the data return to HP for tokenization. In turn, HP sends a token back to the merchant for storage while it keeps the card data in one of its three PCI-compliant data centers, Stone says.
In another example of keeping the system simple for clients, Stone says the software creates an interface with any payment processor the client may be using, and it reduces some of the steps in that process. “The merchant does not have to design a new interface,” she adds.
HP intends to sell the service, with pricing based on client transaction volume, through direct sales channels first in North America and eventually in South America, Australia and other parts of the world, Boelens notes.
Boelens believes clients will find Secure Payment Services an easy-to-use, yet powerful, security measure.
“When you provide a token for credit card or personal data, and someone steals it, all they have is a token,” Boelens says. “That is much better than someone stealing your credit card number or your Social Security number, which can take years to fix.”
Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group, agrees that tokenization represents a reliable data-security measure.
“The token the merchant possesses is just a representation, or a pointer, back to the card data,” McNelley tells PaymentsSource.
Tokenization essentially takes away multiple points of potential data security failure and narrows it down to one potential point of failure at the data-security center, McNelley says.
“But with Hewlett Packard, you have a company that has a very good idea about how to keep data secure,” she adds.
Tokenization also eliminates any concern about a hacker somehow obtaining a “key” to unravel the token process, McNelley suggests. “With ‘end-to-end’ encryption, there is always a concern about the bad guys getting a key to that encryption somewhere along the payment network,” she adds. “That’s not the case with tokenization.”
What do you think about this? Send us your feedback. Click Here.