HPE Update Lets Enterprises, Service Providers More Easily Secure Credit Card Transactions End-to-End

HPE is updating its secure payments technologies to help ecommerce service providers and merchants more easily deliver end-to-end security for credit card transactions and sensitive personal data.  IDN speaks with HPE’s Trish Reilly about the on-going issue of keeping transaction data safe.

by Vance McCarthy

Tags: data security, ecommerce, encryption, HPE, payments, PCI, transactions,

Trish Reilly, HPE
Trish Reilly
global product
marketing manager
HPE


"We’re seeing more larger merchants saying they can see a lot of value in having and managing their own [secure payments] solution."

Enterprise Security
Summit
Secure Apps, Data and End Users for the Digital Enterprise
An Online Conference

HPE Security – Data Security is among the first security vendors to update its technologies to help ecommerce service providers and merchants more easily deliver end-to-end security for credit card transactions – and all sensitive personal data that goes with them.

 

In coming months, the PCI Security Standards Council, a major organization responsible for protecting e-commerce, is set to simplify the complex process of getting secure payment solutions validated.  Perhaps even more noteworthy, PCI’s new approach will open new opportunities for merchants and SPs to safely put commerce data to better business use – without jeopardizing any protections of consumers’ individual credit card and PII data.

 

“The PCI Security Standards Council has responded to market concern about the complexity of [the current] P2PE validation by updating the P2PE standard. P2PE version 2 maintains this approach for protecting account data, while providing greater flexibility and more options for merchants and solution providers,” according to a document from PCI.  P2PEv2 “saves. . . time and money on overall compliance efforts without sacrificing the security of customers’ data,” it added.

 

Key Benefits to SPs, Merchants from PCI’s P2PEv2 Update for Secure Payments

With P2PEv2, validating a secure payments solution gets less onerous, and business gains more access to valuable ways to use permissible data.

To be more specific:

Merchants who accept at least 75% of their transactions through a PCI-validated P2PE service may qualify to apply through their acquirer for the Visa TIP program. This allows approved merchants to discontinue their annual assessment process to revalidate PCI DSS compliance.

Merchants and service providers who build and operate their own validated secure payments solution will now be able to directly access a wider range of data to help their business– and still protect an individual’s credit card and PII information.

Some well-known mega-merchants are welcoming the flexibility and control that comes with the P2PEv2 update. “We’re seeing more and more larger merchants saying they can see a lot of value in having and managing their own [secure payments] solution,” Trish Reilly, a global product marketing manager for HPE Security – Data Security told IDN.

 

Reilly shared two big drivers for how P2PEv2 opens new data opportunities for retailers who would traditionally use third-party secure payment providers. “Larger retailers want to deliver better omni-channel experiences and learn how customers interact with their stores. And everyone’s interested in doing more with big data analytics.”

 

HPE SecureData Payments Solution Protects Cardholder Transactions and PII Data End-to-End

The company’s latest update to its HPE SecureData Payments solution is designed with features to help providers and large enterprises/retailers assemble end-to-end secure payment solutions that will meet P2PEv2 validation, Reilly said.  

 

“With P2PEv2, we now have a stronger way to protect payment transactions and PII data all the way through [the end-to-end data flow],” Reilly said. In effect, P2PEv2 sets out how service providers (and merchants) can be sure they are delivering end-to-end security for their customers’ sensitive credit card and PII data. “P2PEv2 guides providers on how to close security gaps. It enables organizations to significantly reduce PCI scope and audit requirements,” Reilly said.

 

“HPE SecureData Payments enables service providers and enterprises to go through P2PEv2 validation This is because we focus on protecting the data end-to-end,” she added.  Such end-to-end protection is a key focus for PCI.  HPE SecureData Payments Host SDK v4.2. also reduces PCI scope and audit requirements for card present transactions, Reilly said.

 

One of the key technologies is HPE’s Format-Preserving Encryption (FPE), which has the ability to “de-identify” data from sensitive PII – including IDs, health information or classified data. The approach secures data end-to-end across the entire payments/transactions flow, Reilly said. “So even if data is stolen or intercepted, it cannot be de-encrypted and is rendered useless,” Reilly added.

 

HPE SecureData’s FPE protects the data end-to-end by de-identifying sensitive information, such as full social security number, while preserving the data’s format. “So, data acts like normal data and lets companies see new patterns without putting sensitive data at risk,” she said.  Data that’s stolen cannot be de-encrypted and a customer’s PII data is kept from being seen even by a company’s authorized users, thanks to FPE’s selective de-identification.

 

HPE’s FPE also has the added benefit of making it easy and safe to use data for business. Given FPE preserves the data format, that means that even when the data is encrypted it can easily be redacted or de-identified by authorized users. Further, because FPE does not need to convert data to long encrypted strings of cloaked data, as occurs with many traditional encryption approaches, systems can work smoother.

 

Here are other takeaways on P2PEv2 (and HPE Security’s implementation to enable P2PEv2-compliant):

Prevention of unauthorized access through Terminal Authentication: P2PEv2 requires entities ensure the decryption request comes from an “authenticated” terminal. HPE Security – Data Security adds the capability for the payment terminals to be authenticated to the backend host by going through an enrollment process in which the terminal and host share a unique key. Each of the stores have a code and the terminals for each store have a unique ID. When traffic comes in from a terminal the backend host knows it is allowed to talk to it because it is an authorized terminal. 

To deliver high-performance, HPE SecureData Payments boost performance with in-memory identity caching and a new performance enhancement for HPE Secure Stateless Tokenization (SST) (benchmarked at 15-25x faster). 

To assure the operation of the security, HPE tests the integrity of the system. If a cryptographic operation fails in a terminal often the operator may not know that a failure has occurred. HPE SecureData performs a host self-test, going through all the cryptographic features. If it gets back an alert the transactions will be stalled.

P2PEv2 Nuts-and-Bolts - How It Brings Flexibility, Simplicity to Securing Payments

With P2PEv2, PCI will list individual components that fulfill specific P2PE requirements. “Having a list of validated components now allows SPs and merchants to create and manage their own P2PE solution,” the PCI document added. (Previously, the PCI Council’s website listed only validated and completely integrated, pre-assembled P2PE solutions and P2PE applications.)

 

With this pre-approved list in hand of validated components, large merchants will, for the first time, be empowered to implement and manage their own compliant P2PE solutions end-to-end – from the retail premises to the backend secure decryption and key management environment, PCI’s document added. 




back