With the U.S. EMV migration deadline looming and merchants urged to add encryption and tokenization as well, Transaction Network Services sees an opportunity in helping clients manage all of this technology.
Reston, Va.- based TNS and Verifone Systems Inc. are combining data encryption services to provide security from the point of sale through transaction routing. The two companies, which began working together more than six years ago, have solidified their relationship through an agreement to integrate the Managed POS Encryption from TNS with terminal maker Verifone's end-to-end encryption software, VeriShield Protect.
Merchants using TNS' managed service will now have VeriShield built in, said Tiffany Trent-Abram, vice president of global product management for TNS.
Past research has indicated some merchants may put too much emphasis on EMV-chip cards as the only needed security measure, distracting them from the possibility of adding encryption as part of the same upgrade.
Merchants are getting the message that EMV security does not equate to encrypting data as it moves through the network, Trent-Abram said. EMV's primary benefit is preventing the creation of counterfeit cards.
"Most larger merchants understand that, but even in European countries that have had EMV for some time merchants still want to encrypt or tokenize the data," Trent-Abram added.
With the TNS service, a cardholder's data would be encrypted immediately at the point of sale terminal through VeriShield and would remain encrypted until accessed behind the TNS network firewall. As such, encrypted data moves right into the TNS managed service so there is never any exposed cardholder data on the merchant's system.
Security vendors, card networks and the Payment Card Industry security standards council have long recommended that merchants in the U.S. include point-to-point encryption in their networks to complement the migration to EMV chip cards. PCI provides encryption guidelines and lists vendors the organization has validated as following those standards.
Recently, the PCI council clarified its encryption guidelines to allow merchants to use managed services to develop encryption in-house.
"Everyone is trying to find a way to encourage the use of encryption and tokenization, and that's why PCI tried to clarify what it means," said Al Pascual, senior analyst for Javelin Strategy & Research.
"All of the technology providers sense this is a huge opportunity and TNS and Verifone are looking to take advantage of that, as well they should," Pascual added. "Anything that enables encryption and tokenization and manages all of that is a great opportunity for the merchants."
The TNS and Verifone agreement also strengthens data protection if a system is breached through remote access, as has happened in recent merchant data breaches, Pascual said.
"When you encrypt data all the way through the process, there are no [decryption] keys with the merchants anyway, so it dampens some of the issues related to remote access," he added.
TNS can also add tokenization through its managed services, giving merchants an extra layer of security.
End-to-end encryption locks the data in flight and has to be decrypted through a key held only by a security vendor, an acquirer or processor; tokenization replaces the card information with a unique ID, usually a set of characters.
In addition to the security layers, TNS provides connectivity to all of the main acquirers and processors in the industry with a network that operates in 60 countries across the world.
"Ultimately, the goal for TNS, and the reason we entered into encryption and tokenization, is to provide a toolkit for merchants to manage their card risk and eliminate a lot of that risk," Trent-Abram said.
The agreement came on the same day in which the U.S. Secret Service, Financial Services Information Sharing and Analysis Center and the Retail Cyber Intelligence Sharing Center released a document of its security alerts and recommendations for merchants. The document outlines malware threats and reminds merchants to convert their website encryption method from Secure Sockets Layer to a second tier of Transport Layer Security, while also encouraging use of tokenization and encryption for sensitive data.