September 1, 2010, 12:00 AM

Shifting Sands

(Page 2 of 2)

Now, though, the company outsources the work to its web hosting service. "Having access to people and resources means I don't necessarily have to take on the burden of learning the rules firsthand," says Stanke, who oversees a software development team of eight. "The standard can be difficult to penetrate." sells a ticket processing service called OvationTix, used by several hundred concert halls, festivals, theaters and sports arenas. Those clients integrate OvationTix into their web sites, facilitating a connection between the ticket sellers and TheaterMania's system. The vast majority of transactions are completed with credit cards, Stanke says.

TheaterMania has engaged NeoSpire Inc., a web hosting service, to handle back-office tasks such as log file aggregation—separating data so that a compromise of one part of the server does not expose other data—and egress filtering—a way of protecting information leaving the server, says Stanke. "I want my team focusing on developing applications that users are going to see," he says. He declines to say how much the outsourcing costs.

Industry experts say that as the newest changes to PCI approach, more retailers are taking a path similar to TheaterMania's and appear eager to explore new technologies. "Everyone wants the magic bullet," says Jennie Verduzco, director of compliance and chargebacks for Litle & Co., a processor that specializes in serving online and catalog merchants.

One method that has gained attention is end-to-end encryption, which means encrypting card data from the time a card transaction is captured, through processing, and as long as it's necessary to keep cardholder data on hand. The PCI Council this fall also plans to issue non-binding guidelines for that technology.

But there's a danger that data encrypted today might be easy for criminals to crack in the future as computer technology becomes more powerful, says Robert Vamosi, a Javelin analyst who wrote a recent report about payment security technologies.

Tokenization, meanwhile, holds more promise, some observers say, because even cracking a token would not yield a card number. "The token is not mathematically related to the underlying card number, so the criminal has no way to derive the original card number," Vamosi says. "Typically, the token solution provider returns a randomized token to the merchant post-authorization, which can then be stored for indexing and reference."

Tokenization appeals to retailers because it means they need not retain cardholder data, says one online retailer who did not want his name used for fear of divulging his security methods. "We don't actually have to handle cardholder data from our web-based orders, just tokens that work the same way as the card itself," he says. "The reason we outsourced is because we didn't want to touch the data and we wanted to reduce scope."

But there are drawbacks. The lack of a standard means that if, say, two companies merge, or a retailer changes payment processors, there is the risk that different tokenization systems will be incompatible, which means retailers would have to pay to translate the data. Making sure a particular token remains linked to the right card number can be a challenge for large organizations, Gartner's Litan says.

Tokenization recently received a boost from Visa and the National Retail Federation, a retail industry trade association. They agreed that merchants do not have to store cardholders' full 16-digit credit and debit card numbers and encouraged acquirers to offer systems to merchants that replace card numbers with "substitute transaction identifiers," such as tokens.

"Merchants should be encouraged to minimize both the amount of card information they store and the duration they keep it," says David Hogan, the NRF's senior vice president and chief information officer. He adds that the clarification could make it easier and cheaper for merchants to comply with the PCI Data Security Standard. "This will significantly reduce the scope of PCI compliance for merchants," Hogan says.

As PCI keeps changing, retailers will continue to look for ways to keep more data out of their hands, giving a boost to emerging technologies such as tokenization.


Click Here for the Internet Retailer Guide to Payment Security Products & Services

comments powered by Disqus




From The IR Blog


Daniel Markovitz / E-Commerce

Feeding the beast: getting your order to Amazon on time

Amazon is increasingly demanding of the retailers and brands that sell it products.


Lindsay Moore / E-Commerce

Website accessibility: Understanding the ADA for e-commerce

Just since 2015, 300 lawsuits have been filed in or moved to federal courts regarding ...