All posts by Lauren Richard

Industry Experts Share Best Practices on Enterprise Integrated Payments at Regional Events around the U.S.

Paymetric is excited to announce a series of Regional Events around Enterprise Integrated Payments and key issues that are top of mind for IT, Security, and Finance leaders. The most recent event was in Boston at the Harvard Faculty Club. The primary focus was how companies are able to achieve efficiencies by lowering payment processing costs while improving customer service excellence through-out the order to cash cycle. Other areas covered included best practices on securing cardholder data and how this helped reduce PCI scope resulting in savings. It was an excellent turn out with over 40 professionals in attendance.

Local Paymetric customer, Boston Scientific, shared how they were able to fully integrate and secure its electronic payment process with Paymetric’s integrated payment, cloud based processing and tokenization for its SAP and Enterprise systems. Boston Scientific touched on its positive business impacts including how it was successful in streamlining the order-to-cash process, reducing payment card processing costs and making PCI DSS compliance more efficient.

On February 23, 2017, Paymetric will be heading to Dallas for its next Regional Event at Topgolf with guest speakers from the City of Dallas and Dr. Pepper Snapple Group.

A networking lunch and a round of TopGolf will also be provided. Space is limited, so register here to reserve your spot today.

 

To learn about other Paymetric Regional Events in your area or other activities for Paymetric visit our events page. Or feel free to schedule a meeting today at 1-855-476-0134.

       

5 Important Facts About Tokenization

And how to know which approach is right for you

With the rising rates of credit card fraud and cybercrimes, many companies are trying to increase the security of payments. A growing solution to increase payment security is tokenization. Here are five key things you should know about tokenization:

  1. Why Tokenization? Tokenization helps minimize risk and cost. According to the Ponemon Institute, there is a 20% chance that a merchant will experience a data breach within the next two years. To prevent this, merchants must follow the PCI DSS guidelines to protect cardholder information. Tokenization meets these standards when it is provided by a PCI-compliant vendor.
  2. How does it work? Tokenization replaces every credit card number stored in enterprise systems with a series of randomly-generated codes that are of no value to hackers. Therefore, when a hacker breaches a payment database and attempts to steal payment information, the merchant and its customers’ information is still secure.
  3. Which type of Tokenization is right for me? There are three types of tokenization: On-premise, Hosted and Cloud. To determine which type is right for you, consider your location, costs, PCI DSS audit scope responsibility, scalability, redundancy measures, backup and recovery methods.
  4. Other selection considerations? Select a solution with an eye to the future.
  • Choose a processor-agnostic tokenization solution to manage future growth
  • Select multi-use instead of single-use tokenization which enables more streamlined reporting and easier customer service
  • Use the same form of tokenization in both QA and production
  • Choose a vendor offering proprietary tokenization technology
  1. How do I make the most of tokenization? Cover all your bases in the solution design phase.
  • Identify risk workflows
  • Convert sensitive raw or encrypted data to tokens and then purge the original data to reduce risk
  • Block your users from viewing de-tokenized card numbers
  • Train your representatives to not enter raw card numbers in text fields
  • Prevent the storage of CVV values

 

By deploying tokenization, you can minimize the risk of a data breach and minimize the scope of a PCI audit. To learn more, read Paymetric’s eBook on the benefits of tokenization.

Paymetric Featured in Market Guide for Digital Payment Gateways & Payment Providers

Published: 21 July 2016 by Analyst Penny Gillespie

For IT leaders supporting digital commerce payments, Gartner’s analyst Penny Gillespie published a Market Guide featuring Paymetric: Digital Payment Gateways and Payment Service Providers. The Gartner Market Guide helps explain the key market components and industry direction along with vendor profiles including Paymetric as a leader. Below are highlights from the report.

Key Finding Highlights:

  • While payment routing and processing is a mature technology, it is also a critical component of digital commerce. Clients are expressing a renewed interest in these technologies, primarily due to geographic expansion and the need to support new payment types.
  • Payments are complex due to the numerous vendors and the differing roles they play; for example, gateways, processors, payment service providers (PSPs), acquiring banks and issuing banks. The technologies that support them (switching, routing, authorization, authentication, settlement, fraud and reconciliation) are also complicated and intricately woven. Clients struggle with both the complexity of payments and the nuances among the various vendors while simultaneously trying to reduce payment risk.

Market Recommendation Highlights:

  • Work with constituents across the company to identify the anticipated payment volume for a three- to five-year period, and the channels, geographies and payment types that must be supported when starting this analysis. Treasury requirements for operations and settlement should also be taken into consideration.
  • Consider vendor consolidation to simplify operations and to reduce costs, as payment transaction costs are typically based on transaction volume. For example, many processors offer gateway functionality. Vendors offering gateway functionality are starting to support POS and vice versa. Coupling vendor functionality can reduce cost while also streamlining operations across channels as long as all the desired payment types are supported, which may or may not be the case.

Video - Lenovo InterviewVideo - Global Businesses are Facing Challenges EverydayFor more information or questions on how to navigate the complexities of the payment landscape contact Paymetric at 1-855-476-0134 or please reach out via email to pmmarketing@paymetric.com

For a complete Market Guide for Digital Payment Gateways & Payment Providers click here or go to www.gartner.com. 

Paymetric Customers Share Success Stories at Local ASUG Chapter Events

Paymetric sponsored the local ASUG chapter events over the summer working with customers on delivering lessons learned and best practices.

In New York City, Sotheby’s, one of the world’s largest publicly traded auctioneers of fine arts, shared how with Paymetric they were able to integrate payment processing through one platform while cutting costs and improving their customer experience. They also explained the benefits of tokenization and discussed how their PCI compliance has been simplified. Listen to webcast.

Carestream, a health imaging and information technology solutions company, shared their journey and successes with Paymetric in Buffalo, New York at the Upstate New York chapter event. With the help of Paymetric, Carestream was able to streamline their order to cash process resulting in faster and easier collections. They also discussed how they were able to minimize their PCI audit scope and save on Level II/III data interchange fees. Listen to webcast.

 

To see other event’s Paymetric is attending, visit our events page

Gartner Market Guide: Tokenization of Payment Card Data Features Paymetric

Published: December 2015

Gartner Analyst(s): Jonathan Care, Rajpreet Kaur

The tokenization of sensitive data is a key component in the ensuring of payment system security. The guide is a resource to assist companies when choosing the most appropriate solution for their tokenization projects.

Gartner Recommendations:

  • Use tokenization to eliminate stored CHD from within the enterprise, thus reducing compliance overhead and bringing the impact of a data breach within risk tolerances.
  • Where technical requirements permit, use off-premises tokenization to eliminate the requirement to maintain a repository of CHD within the enterprise.
  • Ensure that all third-party service providers handling CHD (including tokenization) comply with the requirement to formally acknowledge responsibility for the security of the CHD in their possession.

Paymetric is recommended in the Gartner guide as follows:

Paymetric specializes in processing payments made through ERP systems, such as SAP and Oracle. In addition, Paymetric integrates with Salesforce, Magento, JDA, Demandware, JD Edwards, Infor, ColdFusion and Visa STP. Its off-premises service tokenizes sensitive data, including PII and CHD, and uses data vaulting to securely store sensitive data. Tokens are decoupled, allowing authorization without a specific call. Paymetric has strategic partnerships with several major payment processors and provides key management outside the enterprise.

Contact Paymetric for more information at toll-free: 1-855-476-0134
678-242-5281 or info@paymetric.com

Click here for the complete Gartner report.

 

5 Steps to Reduce PCI DSS Scope

Because the scope of PCI DSS requirements can be so large and complicated, companies are constantly searching for ways to reduce and even eliminate it. Below are five ways businesses can potentially reduce the size of their PCI DSS scope.

  1. Consolidation:Identifying and eliminating redundant data sets and consolidating applications and information storage can reduce scope.
  2. Centralization:Encrypted data stored in a highly secure on-site central data vault. The payment card numbers are replaced with tokens in other applications or databases. Since cardholder data is only stored in one central location, PCI DSS Scope is minimized
  3. End-To-End Encryption (E2EE) or Point-To-Point Encryption (P2PE):Ensures that card numbers are encrypted from first card swipe at the point-of-sale (POS), and while in transit all the way to the payment processor eliminating most PCI requirements.
  4. Outsourcing:Outsourcing all or some of your payment card processing capabilities to a PCI DSS compliant service provider can reduce PCI scope. This is especially relevant to companies conducting eCommerce transactions only.
  5. Tokenization:Stores card numbers and other sensitive data such as social security numbers in an off-site highly secure data vault. The payment card numbers are replaced with tokens in all other databases and applications. Not storing cardholder data anywhere greatly simplifies the scope of PCI Requirement.

These 5 steps can simplify PCI compliance for POS-centric and card-not-present (CNP) environments, but choosing the best method for your company will depend on the level of security you are looking to achieve. For example, the first two techniques mentioned will minimize the scope of PCI Requirement 3, but will not eliminate it. Card numbers will still be stored on-site, giving access to all sensitive data if a hacker does decrypt your information.

Your next layer of protection will be utilizing a third party tokenization solution. Tokenization is a solution that affords business the opportunity to eliminate the storage and/or transmission of cardholder data in enterprise systems and applications. Implementing tokenization can make reaching compliance much easier than replacing an existing application with a PA-DSS compliant one, according to Verizon’s Business report.

If you are searching for the complete package, a combination of a third party tokenization and a point-to-point encryption P2PE solution will get you closest to completely eliminating your PCI scope depending on your current payments landscape. Utilizing P2PE will remove your entire network and PCs by tokenizing card numbers before they ever touch your network.

If you have questions regarding PCI DSS Compliance or Tokenization solutions, please contact us to schedule a time to speak with one of our Payments Industry Experts.

 

 

Data Breaches: What would one cost your company?

This is the hot question these days, with various entities citing different studies and formulas. While there is no 100% accurate way to calculate the hypothetical cost of a data breach to your organization, we’d like to explore the contributing factors and options you have to safeguard yourself.

For example, a major retailer was breached in 2013, exposing 40 million payment cards and personal information on 70 million customers. The price tag on that breach is $252 million and counting. (Class Action Litigation, Feb.26, 2015.)

Let’s break down these costs. The breached company must address:

  • Auditing: Bring in a forensic auditor to determine how their systems were breached
  • Remediation: Remediate the security breach with hardware, software, monitoring solutions and consulting
  • Credit Monitoring: Provide credit monitoring for 6-12 months for every individual whose records were exposed
  • Insurance Deductible: Pay the insurance deductible even if they are insured for breaches
  • Litigation: Deal with class action suits from consumers, suits from issuing banks to recover losses and shareholder class action suits

While these costs are obviously extremely detrimental, the breach also inflicted immeasurable damage to the company’s customer loyalty and brand reputation. The Ponemon Institute estimated it takes $3.5 million to repair the damage from a breach. This figure is up 15% from last year, perhaps suggesting it is becoming increasingly difficult for an organization to recover from such a media disaster.

The recently published Data Breach Investigative Report for 2015 published by Verizon forecasts the average loss for a breach of 1,000 records is between $52,000 and $87,000. Compare that to a breach affecting 10 million records where the average loss is forecasted to be between $2.1 million and $5.2 million.

I urge organizations not to be complacent by harboring the “It won’t happen to me” mindset. Experts affirm companies have a 1 in 5 chance of falling victim to a data breach. Before this happens to your enterprise, adopt a defensive strategy and protect your data and processes from malicious attacks. Read about our solutions here.

7 Ways to Prevent Fraud and Identity Theft

According to the Federal Trade Commission, 9 million Americans suffer identity theft annually. We’ve compiled a brief list of safeguards that we welcome you to share with your clients.

Identity theft occurs when someone steals your personal information and uses it to commit fraud- whether it’s using your credit card, filing fraudulent tax returns or ruining your credit. Perhaps the worst part about identity theft is that it can plague you for years, as criminals are able to continuously exploit your sensitive information. While credit card numbers can be changed easily- your social security number, date of birth and medical records cannot.

How do you defend yourself from identity theft?

  1. Pay for online purchases with a credit card. Banks almost always favor the consumer in these situations and will refund your money. But once the money’s gone from your debit account- it’s gone. (This also holds true for physically stolen cards, FYI.)
  2. Clear your logins and passwords and never save these credentials on a public computer.
  3. Monitor your bank statements. If you don’t recognize a purchase, if it looks suspicious or if occurred somewhere you weren’t, call your bank.
  4. Monitor your credit report. You are legally entitled to a free report every year from each of the three bureaus (Equifax, Experian, and TransUnion)
  5. Shred sensitive documents.
  6. Fraud alerts and credit freezes. These are two measures you can take yourself, or you can pay a company to do it for you.
  7. If you’ve detected fraudulent activity, notify the financial institution where it occurred, so they can freeze your account. You might also need to contact the FTC and local police department.

The Value of Protected Health Information (PHI)

In our last blog, we discussed the importance of personally identifiable information (PII). This week our focus is PHI, or protected health information. PHI includes patient names, medical records, addresses, social security numbers and email addresses. While PHI is addressed by HIPAA and HITECH acts, breaches still occur. One such occurrence is the recent Anthem breach, which exposed 80 million client records. Anthem is the largest for-profit managed health care company in the Blue Cross and Blue Shield Association.

People who had previously been insured with Blue Cross decades ago received letters warning them their sensitive data had been exposed. Since then, stolen identities and fraudulently filed tax returns have been linked to this breach.

Due to the sensitive nature of medical records, breaches could diminish trust in doctor/patient confidentially. Some speculate patients could withhold health concerns or conditions for fear of the information going public. Anthem, and other breached companies, are now tasked with repairing brand damage and winning back lost clients.

In the case of a credit card breach, the financial institution can send a new card with different numbers. However, medical records cannot simply be reissued or changed. This is why some consider PHI to be 50 times more valuable to thieves than credit cards.

According to CNBC and Reuters, “Medical identity theft is often not immediately identified by patients or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.”

So how do we adequately safeguard this data from cyber thieves?

Tokenization has become the gold standard for protecting sensitive data. Tokenization takes a real value (SSN, date of birth, etc.) and replaces it with a surrogate value. Tokens cannot be reverse engineered and the data itself resides off site entirely. Paymetric’s tokenization solution, XiFlex™ powered by XiSecure™, gives organizations the adaptability necessary to protect any type of sensitive information residing within the enterprise. Read more about our proprietary solutions here.

To learn more about protecting sensitive data, you are welcome to join our upcoming webinars:

Securing Sensitive Data and PII within SAP® – Thursday, April 30th 2:00-3:00pm

Securing Sensitive Data and PII within Oracle®EBS – Tuesday, May 12th 2:00-3:00pm

The Impact of Storing PII
(Personally Identifiable Information)

When we talk about PII, we often refer to data including names, social security numbers, dates of birth, email addresses, physical addresses, etc. However, even seemingly innocuous data can be valuable in the wrong hands.

British Airways recently experienced a data breach into their loyalty program. While the information exposed was not directly lucrative, like a credit card or social security number, hackers know many people use the same login credentials across other online mediums. This information has been described as a “golden ticket” to get into other more valuable accounts.

And the power of data doesn’t stop there. According to the US General Accounting Office, 87% of the US population can be uniquely identified using only gender, date of birth and zip code. In an age where data can reveal and compromise so much, cyber security is paramount.

So how can businesses safeguard their customer’s private information? An increasingly popular and effective solution is tokenization. Tokenization works by replacing a sensitive data value with a surrogate value, or token, ensuring sensitive data is no longer present but rather is represented by the token. The actual encrypted data is stored in a secure data vault, reducing the organization’s liability of protecting the information and the risk associated with doing so.

XiSecure® for Sensitive Data utilizes Paymetric’s XiFlex™ format-preserving tokenization technology, giving organizations the adaptability needed to protect multiple types of sensitive information. XiSecure maintains the original length and format of the data so organizations can leverage Paymetric’s tokenization technology to protect any type of sensitive information that resides within their enterprise. The original data is stored in Paymetric’s off-site, highly secure data vault.

Now your organization can employ a tokenization strategy with no impact to existing IT infrastructure and no added costs
for modifications. Learn more about Paymetric’s proprietary solution here.

To learn more about protecting PII, you can watch either (or both) of our webcasts:

The New Data Breach: Critical Factors to Consider for Securing PII and Sensitive Data within your SAP® environment

The New Data Breach: Critical Factors to Consider for Securing PII and Sensitive Data within Oracle® EBS