Merchants need to rethink how they manage credit and debit card data – and realise they can gain better business insights from the information they glean without having to keep card numbers.
These are some of the insights gained from a new security brief issued by RSA, the security division of EMC. The brief details how advanced security technologies can be combined with emerging outsourced services to relieve merchants of the growing burden of storing electronic payment card information and includes advice from experts at RSA, First Data Corporation and Visa.
When it comes to maintaining credit card data, merchants face increasing challenges as IT demands expand, PCI requirements escalate and credit card thieves grow more sophisticated. Within this environment, the new RSA Security Brief introduces a model for outsourcing credit card data security called “secure payment services".
Secure payment services transfer safeguarding card information to outside service providers, improving electronic card data security while simultaneously reducing the time, complexity and cost of achieving PCI compliance for merchants.
“The benefits of secure payment services can be significant. We believe many merchants will move to an outsourced services model by 2015,” says Karel Rode, principal consultant at RSA Southern Africa “As the merchant responsibilities associated with storing payment card data continue to increase, these new centralised repositories allow merchants to preserve all the marketing and operational advantages of tracking card information while transferring a large portion of the risk by removing the card numbers from the merchant’s card environment.
"This shift will create a new industry standard for securely processing credit, debt and other payment card transactions.”
The RSA brief outlines how next-generation payment processing services take advantage of end-to-end data encryption and a newer technology called “tokenisation".
Data encryption obscures card numbers by scrambling them in a reversible format. Tokenisation replaces card numbers altogether with safe proxies that can’t be fraudulently used for purchases, but still allow merchants to track and analyse the customer purchasing behaviours associated with each payment card.
The security brief describes a model for using end-to-end encryption and tokenisation together to render card numbers unusable when intercepted by thieves.
“Secure payment services based on encryption and tokenisation will radically transform how most merchants handle payment card data,” says Sam Curry, RSA’s chief technologist. “Just as bank accounts insured by the FDIC provided a better way for people to save cash than stashing it inside their mattresses, this new generation of outsourced secure payment card services will provide a way for merchants to track and use payment card data that is vastly superior to keeping actual card numbers within the enterprise.”