Avoid Network Security Nightmares

This is the second of two installments in a series of articles that discusses the advantages of e-commerce integration. The first installment emphasized that an online presence for one’s distribution business is a necessity. This piece focuses on the need for distributors to understand the security vulnerabilities involved with e-commerce and the solutions available to deal with them.

by Larry Wine, President and CEO, Paymetric Inc.

As addressed in our last post re: e-commerce integration, let’s assume that your manufacturing company has now successfully opened a Web store, put your catalog online and integrated the whole system effectively into your ERP.  Now what?  Can you sit back and watch the sales roll in? No. There’s still one major issue to address . . . and it’s one that could bring a company to its knees: security.

The reality is many companies don’t truly understand the security vulnerabilities that electronic payments present… nor do they understand the various solutions available to them. They may think they are secure, but in fact are at great risk.

Online payment security is more important than ever. However, wholesalers generally aren’t doing enough to protect themselves and their customers.  According to Databreaches.net, 2009 was the year of the “Mega Data Breach.” The number of personal records that were exposed -- data including credit card information tied to an individual -- that hackers got access to skyrocketed to 220 million records in 2009, compared with 35 million in 2008.

To combat this trend, the Payment Card Industry Security Standards Council (PCI SSC) has tightened compliance requirements, initially with their Data Security Standards (PCI DSS). As a response, the industry has been flooded with solutions claiming to provide heightened security for a merchant's data. Undoubtedly, and often blindly, merchants invest in these offerings out of fear, uncertainty, and doubt. What needs to be better understood is that most of these solutions are not bullet-proof.

First, a company must make sure they truly understand the security vulnerabilities that electronic payments present when integrating a new e-commerce system into the ERP. A manufacturer may think the company is secure when they install today’s encryption technologies, for example, but in fact are at great risk for a breach or an audit resulting in hefty fines. Unfortunately, most find out the hard way.

What can help? In my view, tokenization is the answer. Tokenization is a technology that leapfrogs the better-known, traditional encryption. Sensitive data is removed from enterprise systems and, as an added bonus, the technology is complimentary to legacy enterprise systems.

According to the recent Gartner Group report, “Using Tokenization to Reduce PCI compliance Requirements,” “enterprises that have successfully implemented tokenization … have  reduced the scope of …costly PCI compliance audits while keeping sensitive cardholder data more contained and secure.”

Drilling down, tokenization affords companies the opportunity to eliminate the storage of sensitive cardholder information. This cutting-edge technology works by intercepting cardholder data entered into an enterprise payment acceptance system like a Web store, CRM, ERP, or POS, and replacing it with a surrogate number known as a “token”, a unique ID created to replace the actual data associated with a specific card number. Put more simply, tokenization is different from any other security solution dealing with PCI issues because it’s “waterproof” vs. “water resistant” (encryption). 

Tokenization offers the following two key benefits:

  1. Delivered via a Software as a Service (SaaS) model which ensures no customer card data resides within company systems
  2. cost effectiveness and savings

With a tokenization solution outsourced via a SaaS model and a reputable vendor, cardholder data never resides in the merchant’s environment. The premise and theory behind encryption remains true – protect sensitive data with complex encryption algorithms wherever sensitive data is stored.  Tokenization takes the same principle to a new level: protect sensitive cardholder data by removing it from merchant systems entirely. Quite simply, merchants do not need to encrypt what they do not store.  Let someone else shoulder the information.

Tokenization offers great cost savings, too. According to Gartner Group, a company with 100,000 customer accounts spends $6 per account to roll out encryption appliances. A separate encryption solution is required for each place where credit card data is stored. In a large enterprise there can easily be 10 or 20 systems. Do the math -- that could add up fast.

In contrast, by transferring all card holder data out of your systems, a company eliminates capital expenditures. It’s a simple premise: the less data there is onsite the less it costs to keep it secure. This will also reduce the complexity of a company’s PCI audit. Because the merchant no longer stores cardholder data, they will greatly reduce the number of questions needed to answer on the audit.

All in all, tokenization greatly reduces risk of breach, operational expenses and bad PR – all of which ultimately saves money.

In conclusion, if a company carries confidential cardholder data, we strongly recommend getting it out of the system and onto a reputable vendor’s. To choose a vendor, make sure they have expertise and execution experience. Tokenization vendors must be thoroughly vetted, since they will become mission critical business partners. There is no doubt there is a solution for every company.  But you must pick the right partner that can fulfill all the company’s requirements while understanding its level of size and complexity.

With an eye towards the future, Paymetric’s Data Intercept Solutions for XiSecure On-Demand takes tokenization to the next level by ensuring that sensitive cardholder data never enters the enterprise payment acceptance system. Sensitive information is intercepted and tokenized at the the time of sale. The secure token then routes back to the merchant for authorization and settlement. Data Intercept Solutions, using tokenization, offer the ultimate breach protection, while dramatically reducing the cost and effort to achieve PCI compliance. And the process is entirely transparent to the customer.

Tokenization is the answer to security, cost savings, and general peace of mind. . . just be sure to ask the right questions.

Larry Wine is the president and CEO of Paymetric Inc, a provider of integrated and secure electronic payment acceptance solutions. Wine is also an electronic payments industry subject matter expert with more than 20 years of top-level, global executive leadership experience.