ID TECH Partners with Bluefin on PCI-Validated P2PE Solutions
In March 2014, Bluefin Payment Systems became the first North American company to receive Payment Card Industry (PCI) validation for a Point-to-Point Encryption (P2PE) solution.
At the time of Bluefin’s validation, only two other companies in the world – both in Europe –had achieved this hard-won validation.
Bluefin originally began working toward the coveted P2PE validation in mid-2012. As a Participating Organization (PO) of PCI’s Security Standards Council (SSC), the Georgia-based payments company felt it was important to embrace PCI’s newly introduced standard for P2PE.
“We all know that cybercriminals are an inventive group, which is why malware is getting more specific, targeted, and automated,” said Ruston Miles, Bluefin Chief Strategy Officer. “Hackers now use specialized software to spear-phish their way into access to a company’s payment system — and then use all manner of scraping and key-logging software to capture as much payments information as they can.”
According to Miles, merchants and enterprises often take a “defend the data” approach to security, building hardened resources and higher firewalls to keep hackers out. But the entire point of P2PE, adds Ruston, is to devalue cardholder data – at the point of interaction – via encryption, preventing clear-text data from being present in a merchant or enterprise’s system, thereby rendering the data meaningless to hackers.
Bluefin believed that the payment industry needed to move in the direction of “devaluing the data” and that PCI-validated P2PE was the best way to do it.
First Certified P2PE Devices with ID TECH
Every PCI-validated P2PE solution provider must certify any constituent PCI P2PE devices according to exacting PCI standards. A complete solution cannot maintain its PCI P2PE listing without all devices in the solution being successfully “validated.”
Bluefin’s 2014 validation efforts centered on ID TECH’s SecuRED and SREDKey card readers. Within the first several months, Bluefin had its first major P2PE deployment with The Hillman Group, using the SecuRED, a Secure Reading and Exchange of Data (SRED) magnetic stripe reader.
ID TECH’s SecuRED for Retail Environment
Established in 1964, The Hillman Group provides an array of products for commercial and residential uses to over 21,000 businesses including Lowe’s, Home Depot, PetSmart, PETCO, Sears, Ace Hardware, True Value, and Walmart. Hillman is the leader in today’s market for fasteners, keys, letters, numbers, signs (LNS), and engraving.
The Hillman Group selected Bluefin’s solution with ID TECH’s SecuRED for its automated custom engraving kiosk, as a way to reduce the number of applicable PCI DSS requirements for their CDE while safeguarding their brand against the possibility of a costly card data breach. Today, the company has deployed more than 2,000 SecuRED devices in their kiosks.
“A good rule of thumb for businesses is if you don’t need to touch the card, don’t do it,” says Bluefin’s Ruston Miles. “Avoid the hot potato. EMV, P2PE and tokenization are the instantiations of that. P2PE solutions encrypt the data at any point of interaction, and tokenization protects it at every point of storage, which makes it absolutely essential to use in conjunction with other technology.”
Apart from being more secure — which is the primary focus —PCI P2PE payment solutions offer a better return on investment for merchants because over time they drastically reduce the cost of compliance for merchants.
“With P2PE, 90 percent of all the things that merchants are doing to secure themselves under PCI requirements go away, as the scope is reduced. It makes life easier,” Miles points out.
In addition to the SecuRED, Bluefin has deployed more than 11,000 ID TECH SREDKey devices since validation in 2014. The SREDKey (which combines a keypad with a magnetic stripe reader) is an ideal solution for call centers and certain card-present environments – such as medical offices – where EMV is not a necessity.
ID TECH’s SREDKey for Call Centers
In 2016, call center software provider Intelligent Contacts connected to Bluefin’s Decryptx® solution, which enables gateways and software platforms to offer Bluefin’s PCI-validated P2PE solution to customers with no change to their current software integration or payment flow. Intelligent Contacts utilized the SREDKey payment terminal to provide secure card entry via a simple keypad interface.
“Call centers have been taking payments over the phone for decades, but with so many high-profile data breaches and much stricter rules on how credit card information should be handled, the industry was looking for outside help to stay PCI certified,” said Intelligent Contacts CEO Jeff Mains. “Additionally, a call center is only as secure as its least secure computer – keeping every terminal secure enough to withstand a man-in-the-middle attack or even a PCI audit can be an IT nightmare.”
One of Intelligent Contacts’ first clients to adopt the P2PE solution was a major provider of revenue cycle tools and back-office billing support for the healthcare industry. With over 1,000 agents entering credit card data into their computers each day, having to achieve PCI certification each year was a painful process.
The answer was to stop entering credit card data into computers. Instead, each agent was given his or her own P2PE terminal.
“By using PCI-approved devices to take all payments, the company eliminated about 95% of its PCI exposure,” said Mains.
Adding New ID TECH Payment Devices to Other Markets
Bluefin recently added ID TECH’s Spectrum Pro and the Augusta S to its list of certified P2PE devices. The Spectrum Pro, a PCI-PTS 4.x and SRED certified hybrid Magstripe and Smart Card insert reader, is an ideal solution for outdoor self-service environments, thanks to its durability, robustness, and ease of installation.
The Augusta S is a dual mag-stripe and EMV countertop reader, providing for a simple upgrade path to EMV without the overhead and complexities of a full PIN pad solution. Like Spectrum Pro, Augusta S is SRED certified, combining fulltime encryption with sophisticated anti-tamper features.
ID TECH is actively working with Bluefin and a 3rd party to provide the Spectrum Pro to the fleet fueling market. A P2PE validated solution with the fueling industry is pivotal to reduce fraud at the pump.
“ID TECH recognizes that the unattended space holds a lot of opportunities for our line of P2PE-certified EMV products. Our long-time partnership with Bluefin has allowed us to grow our company and brand in this competitive market, and we are looking forward to achieving the same success in unattended payments and beyond”, said Justin Ning, VP of Product Management and Marketing at ID TECH. “Currently, we are working with a well-known source in the financial industry to implement the Spectrum Pro at gas pumps, where security and durability are paramount. We are very excited about this new project and its potential for growth!”
For over 30 years, ID TECH has been the industry leader in delivering secure payment solutions. For more information about ID TECH, please visit www.idtechproducts.com.