News

First Data pilots first commercial transaction tokenized on STAR ATM, POS network

March 4, 2010

First Data Corp. says it is piloting the First Data TransArmor solution with more than 400 U.S. merchants of mixed sizes to assess the new data security solution over the next four months.

According to a news release from First Data, the TransArmor solution (previously called First Data Secure Transaction Management) was developed in close partnership with EMC Corp. and is designed in a way that has the opportunity to fundamentally change the way merchants secure and manage cardholder data.

The TransArmor solution addresses the root cause of merchant data security issues by removing payment card data from the merchant environment as part of processing the transaction, significantly reducing risk and the scope of PCI compliance efforts.

Deploys RSA SafeProxy architecture

The solution leverages the RSA SafeProxy architecture, a powerful combination of asymmetric encryption, tokenization and key management engineered to provide the benefit of end-to-end protection and eliminate on-site cardholder data storage for merchants. Unique features of the token make it possible for merchants to continue to handle key business functions such as returns, recurring billing, loyalty programs and other analysis, without enabling card data to be used for fraudulent transactions.

On Feb. 26, 2010, the TransArmor solution tokenized the very first commercial transaction over the STAR Network at the Center of Science & Industry in Columbus, Ohio. STAR has more than 2 million retail and ATM locations.

According to First Data, COSI is already experiencing the benefits of the solution.

"Like most consumers today, several of our customers had concerns about the safety of their credit and debit card data while visiting our center. TransArmor gives us peace of mind that their payment card data is locked in a virtual vault at First Data and nowhere on site at COSI," said Brad Morgan, senior IT operations manager at COSI.

Works with existing merchant hardware

The TransArmor solution can be implemented without the need for new hardware or back-end IT operations. The solution works with First Data as well as other terminals or point-of-sale systems and can be applied across brick-and-click environments.

"The response from merchants interested in participating in this trial has been enormous and a testament to the sought-after service TransArmor delivers," said Craig Tieken, vice president of Merchant Product Management at First Data. "Up until now, there have been few easy and cost-effective solutions to the growing problem of managing the risks of handling sensitive payment card data. TransArmor represents a fundamental change in how merchants can confidently protect and manage cardholder data."

First Data says the new, more secure system is expected to reduce merchant losses and costs associated with data breaches.

According to the 2009 U.S. Cost of a Data Breach Study by the Ponemon Institute, the average cost for merchants coping with a data breach in 2009 rose to $6.7 million, with the cost per customer record breached estimated at $204. With the TransArmor solution, customer card information is retained only at the processor and protects merchants from the dangers of malicious attacks designed to steal payment card data in transit or in storage from merchant databases.

Teams from RSA and EMC Consulting worked with First Data through product-strategy development and technology proof-of-concept prior to pilot.

"The RSA/First Data trial is concepted for Level 4 merchants," said Mark Bower, an expert on information protection at Voltage Security, an end-to-end encryption specialist. "It cannot address the complexity or scalability needed by Level 1 merchants, nor can it protect all their business applications. Heartland is leading the end-to-end encryption charge in the payments industry and with its end-to-end solution called â€˜E3.' It's better for the merchant, and is not point-to-point, as competitive offerings are. â€¦ In fact, any solution using traditional encryption will result in increasing operational costs, and over time this is passed on to merchants."

Bower added that innovations in end-to-end encryption and tokenization are, however, addressing the complex needs of Level 1 merchants, and are doing so in a powerful way.

"It can also be very simple for merchants, who can just go through solutions like Heartland E3," he said.

Voltage, which is based in Palo Alto, Calif., is an end-to-end encryption specialist focused on protecting cardholder data throughout the payment lifecycle. Traditional encryption systems have proven difficult to implement, require complex key management and costly and laborious key injection processes, and cause significant disruption to applications and databases. Voltage has developed what it calls "true" end-to-end encryption (not point-to-point), and Voltage's tokenization solutions are based on format-preserving encryption and identity-based encryption. Through FPE and IBE, cardholder data is protected everywhere from the moment it's collected at terminals, POS devices, ECR systems, mobile devices, software e-commerce platforms, and the processors and merchants. And data protection now covers authorization, settlement and post-settlement business processes at merchant and payment processor locations. Voltag'e end-to-end protection is being used by POS device manufacturers including Heartland Payment Systems and Hypercom.