Podcast: Play in new window | Download
Subscribe to our podcast:
 |
 |
The following is a transcript of the episode between Scott Henry, Vice President of Product Management at Elavon and Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
Could you give us a brief description of the company and your role for our listeners who might not be as familiar?
Scott Henry, Vice President of Product Management at Elavon
It would be my pleasure. Elavon is a global payments company. We are a subsidiary of U.S. Bank, which happens to be the fifth largest bank in the United States. Elavon provides secure and payment processing solutions and services to more than 1.3 million customers across the United States, Europe, Canada, Mexico, and Puerto Rico. Some of the industries Elavon serves include airlines, hospitality and lodging, healthcare, retail, and public sector and education. Our payment solutions are designed to solve pain points for small to enterprise-sized businesses. I serve as group product lead for Gateway and Payment Security within Elavon, where I manage a team of technical and commercial product managers. This team covers our PCI program, encryption, tokenization solutions, and multi-acquirer payment gateway.
Earlier this year Elavon announced its new point-to-point encryption or P2PE platform. Can tell us a bit about this initiative?
Scott Henry, Vice President of Product Management at Elavon
Elavon has been a leader in payment security throughout the years by providing customers with a comprehensive security suite including encryption, tokenization, EMV, and PCI services. Perhaps we could have stopped there and we could have serviced our customers appropriately. However, Elavon felt that there was more that we could offer the market to minimize the areas of potential attack for cardholder data and ensure that they had a streamlined effort for PCI compliance. So with that Elavon embarked on a journey, and certainly that’s what it is to become PCI compliant is a journey. To take our core payment solution, Safety Link, and walk it through the compliance process. I’d be lying if I said that this was an easy process. It certainly was a labor-intensive process that covered all aspects of our business: people, process, and technology. And it certainly was a lengthy exercise as well.
However, the outcome of the solution, which we refer to as Safe-T Link® with PCI P2PE Protect not only meets the rigorous requirements outlined by the PCI Security Standards Council but also provides our customers with a turnkey easy-to-integrate solution that elevates the level of security and reduces PCI compliance efforts.
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
Security and data protection are obviously top of mind for all those within the financial industry. One of the data points that Elavon referenced in its recent announcement was that according to the Identity Theft Resource Center last year there were 1,579 data breaches and that’s with nearly 1.8 billion sensitive records exposed. According to IBM and Ponemon Institute’s 2018 Cost of a Data Breach Study, the average cost of a data breach is estimated to be nearly $3.62 million. Clearly there’s a major need for the payments industry to be proactive about protection.
So why is P2PE the answer to this problem?
Scott Henry, Vice President of Product Management at Elavon
Certainly those are staggering numbers. When you think about the payments industry and the industry as a whole in terms of security of sensitive information, those are certainly staggering numbers. I would say that Payment Card Industry (PCI) Qualification Requirements for Payment Card Industry Professionals (PCIP) (the “PCIP Qualification Requirements”) is one of the answers that contributes to a future of reduce fraud at the PCI PCIP standard is comprehensive in its scope and nature. It covers everything from the security of the payment application, the injection, loading, and deployment of the payment device, the payment device management in the field, encryption of the cardholder data within the secure payment device itself, and decryption of that transaction only once it’s arrived within a secure PCI DSS validated facility. So this coverage dramatically reduces the potential attack vectors within a merchant environment while raising the bar significantly on security. It’s difficult for a criminal element to steal what they can’t find.
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
Certainly a valid point there. For data security, there’s a slew of different solutions that are provided.
Can you break it down for us? What are the key differentiators in a P2PE solution when comparing it to the other data security-focused solutions?
Scott Henry, Vice President of Product Management at Elavon
First of all, I think that there are some misconceptions out there. I believe from a security technology standpoint you hear the term and then encryption, P2PE. Really when we’re looking at a P2PE validated solution, that’s speaking to something very specific and direct. In addition to the depth and breadth that point-to-point solutions provide that we just spoke about, the principal differentiator between PCI P2PE solutions and other security solutions is that they’re independently audited by PCI-proved assessors. This independent review ensures that PCI-listed solutions meet the most rigorous requirements to protect the merchant environment.
It’s important to note that the PCI Security Standards Council (PCI SSC) places a high degree of emphasis on the quality of not only the assessor organizations but the assessors themselves. There must be demonstrated ability on prior PCI DSS assessments and a competence shown in cryptographic techniques, key management, key lifecycle oversight. Assessor organizations must remain in good standing with PCI Council and receive continual training. The goal of this oversight is to ensure that a security solution of this magnitude, which has far-reaching impacts, has been reviewed to a satisfactory level and can be viewed as a trusted solution once it’s been audited by the assessor, validated, and listed on the Council’s website.
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
Let’s look at the other side of things here. Why would anybody be reluctant to adopt a P2PE solution?
Scott Henry, Vice President of Product Management at Elavon
That’s a great question. When it comes to point-to-point encryption solutions, very specific components, application dependencies, and payment devices are identified within the solution. Although the Council has allowed for certain flexibilities in defining the P2PE solutions, some customers may find the solutions to be somewhat restrictive. Honestly that’s by design. The Council wants to ensure that the approved components are being utilized and implemented in the proper manner. This is what makes a successful P2PE solution.
Elavon takes a consultative approach to conversations on point-to-point encryption with our customers, and we walk them through the solution. We outline the various layers and how they contribute to strengthening the level of security. By the end of the conversation, there’s an understanding by the customer of why it’s specifically designed in that manner and how the P2PE solution indeed raises the bar on security.
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
I like that consultative approach that you take because not everybody is an expert on all these things, and with the payments industry in particular evolving toward this digital aspect and security being top of mind, it’s very important for people to get a full understanding of what it is going on in terms of the securing the data that they have. That leads into the next question:
When it comes to an end-to-end encryption and tokenization, what are some of the characteristics that our listeners should be looking for?
Scott Henry, Vice President of Product Management at Elavon
It depends on how the solution is implemented. For fully integrated solutions — in other words, where the transaction flows back from the payment device back through the point of sale or the PMS, the property management system, to the acquirer, it’s likely important to have the encryption and tokenization solution preserve the format of the data. This can reduce the amount of effort to implement the solution. As far as Elavon solution that we were referring to earlier, Safe-T Link with P2PE Protect, Elavon chose to implement it in a semi-integrated manner, meaning that the sensitive data is actually encrypted within the device and delivered directly to Elavon, keeping that encrypted data out of the POS PMS. And once we successfully decrypt it within our environment, we send back a token to the customer. The token we send back happens to be in a format-preserving method, and this ensures that the POS or PMS database can accommodate that token without modification. So I would say that that’s one of the core critical components when they’re looking at any solution. It’s exactly what that’s going to do from an integration standpoint, how it’s going to impact their organization.
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
Before we wrap things up here, is there anything else that you’d like to add for our listeners?
Scott Henry, Vice President of Product Management at Elavon
Yes, perhaps this is an obvious point, but a point-to-point encryption solution must be supported by the merchant acquirer that the merchant is using for processing. So, although PCI has been the standard for more than five years, there are still relatively few solutions that have been validated and listed on the PCI website. Elavon’s solution is not only supported by our Elavon acquiring platform, but we also connect to several other merchant acquirers through our Fusebox payments gateway. Elavon is committed to providing merchants with the most secure payment solutions regardless of merchandiser industry. And collectively together as a payments community, we will secure the future.
Ryan McEndarfer, Editor-in-chief at PaymentsJournal.com
Scott, if there’s a place that you’d like to direct people to learn more about the P2P encryption from Elavon, where can they go?
Scott Henry, Vice President of Product Management at Elavon
We have a tremendous amount of information on P2PE and our security solutions at Elavon’s website. That’s www.Elavon.com and you can go there for more information.