RBS WorldPay agrees to market VeriFone end-to-end encryption

By Marcia Savage, Features Editor, Information Security 11 Aug 2009 | SearchFinancialSecurity.com

Digg This!     StumbleUpon     Del.icio.us

VeriFone Holdings Inc. has struck a deal with payment processor RBS WorldPay Inc. to promote VeriFone's technology for end-to-end encryption of payment card data.

The agreement, announced Tuesday, comes about eight months after Atlanta-based RBS WorldPay disclosed that personal information of about 1.5 million pre-paid cardholders and other individuals was compromised when its computer system was hacked. The stolen data was used in a highly coordinated ATM scam.

According to San Jose, Calif.-based VeriFone, RBS WorldPay is the first merchant acquirer to endorse a commercial end-to-end encryption solution. Heartland Payment Systems Inc., which reported that it was breached Jan. 20, earlier this year began developing its own encrypted end-to-end terminal product for payment card security. Last week, Heartland Chairman and CEO Robert Carr said the product is being beta tested at 10 merchant locations.

The VeriFone Protect technology uses AES-level encryption to protect card data at the point of card swipe at the point-of-sale device. VeriFone said the product preserves existing card track data formats to work with retailers' existing payment infrastructure.

"RBS WorldPay merchants and prospects are telling us they want to significantly reduce the impact of PCI compliance on their business - and they want a solution their processor endorses," RBS WorldPay President and CEO Ian Stuttard said in a prepared statement.

Diana Kelley, founder and partner at consulting firm SecurityCurve, said she was heartened to see advances in end-to-end encryption.

"Encrypting sensitive card information on swipe and keeping it encrypted through to final target destination is a reliable way to protect data in transit," she said. "Encryption on swipe really should have been supported by POS vendors and financial institutions from the time when POS swipe first came to retail."

This kind of solution helps prevent sniffer attacks like the 2005 breach at payment processor CardSystems Solutions, in which attackers put a tap on the network to steal card numbers, Kelley said. However, while end-to-end encryption raises the bar in payment card security, it's not the end of card protection requirements, she added.

"Depending on architecture and implementation, this would not necessarily prevent 'final destination' attacks on a central database where card numbers are stored. In that scenario, even if the numbers are stored in the database encrypted, an attacker with the right credentials and keys could decrypt the stored data and use the card numbers," Kelley said.

RBS WorldPay is the U.S.-based payment processing division of the Royal Bank of Scotland Group plc. The company did not immediately respond to a request for comment Tuesday.

Tags: Data encryption techniques,  PCI DSS: Audits and requirements,  Data breaches and prevention strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data encryption techniques How to secure data backup Too many encryption methods make secure communications difficult Massachusetts data protection law has mixed impact on financials Download presentations from Financial Information Security Decisions 2009 Data encryption: Pre-implementation best practices Data encryption: Lessons learned from implementation Data encryption: Q&A with Eric Leighninger Community banks to increase security spending, survey finds Lessons learned: The State Street Corp. breach Removable media encryption adds extra layer to laptop security PCI DSS: Audits and requirements Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Companies lagging in PA DSS compliance Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment Why financials should pay attention to NERC CIP Infosecurity pro pitfalls RBS WorldPay regains spot on Visa's PCI compliance list Tokenization and PCI compliance Heartland breach cost $12.6 million, CEO says Data breaches and prevention strategies Bank computer technician indicted in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000 Programmer accused of stealing proprietary code from financial firm

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CISP-PCI  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary