Security Case Study. Experience from Europe s most mature market. Retailers choose Point for increased security

Transcription

1 Security Case Study Retailers choose Point for increased security Experience from Europe s most mature market Meet the company with 800 security staff

2 Security is what Point is all about With its clear ambition to always be at the forefront of innovative and forward-looking technology, Point has established itself as a market leader in the field of security for electronic payments. Large-scale investment in new technology and new solutions is regularly made both front of house and behind the scenes. By taking a structured approach to staff, products and systems, the company has succeeded in establishing a level which guarantees that Point s customers will always have access to the most secure and easyto-use payment solutions on the market. Point was founded in 1987 and from the very beginning has assumed the role of innovator and trend-setter for the rest of the market. Represented in 11 countries, Point is today the leading supplier of electronic payment solutions in Europe. Its focus is on payment services for both small shops and multinational retail chains that require multi-channel payment capabilities and an extensive payment capacity. Outside the retail sector, Point s customers include hotels, restaurants, transportation and e-commerce sites, as well as companies that primarily provides business-tobusiness services. Point is a VeriFone company since January Point always stays one step ahead Despite the constantly increasing cyber threat, Point s data system is one of the most secure on the market today. The company regularly implements new measures to protect against hacking, fraud and various types of misuse. Dimitri Binazzi is the Chief Security Officer at Point and since its foundation in 1987 has been responsible for the company s work on security issues. He confirms that the challenges have altered significantly in recent years. Dimitri Binazzi, Chief Security Officer, Point Just a few years ago, criminals would rob a bank or shop to quickly obtain large sums of money by force. Today, through data hacking and fraud, they obtain smaller sums over a longer period. It s not as quick, but is much more lucrative. And criminals get more and more advanced every day. It is our job here to always stay one step ahead. Extensive efforts are made to ensure that data systems, products and staff are able to handle the risks and threats that are encountered. One of our challenges is to be able to offer our customers a high level of service while at the same time the security of the systems must be faultless, says Dimitri Binazzi. In recent years, we have seen an increase in hacking of various systems around the world, which is something we must try to prevent, even if today s hackers and intruders are incredibly sophisticated. In the unlikely event that they gain access, the aim must be to ensure that their presence is identified and that steps are taken immediately to prevent any negative consequences. Increased protection for Card holder data (CHD) Two examples of the investments made in recent years are the cooperation with the two security companies Tripwire and Verisec. The cooperation with Tripwire was initiated when Point was able to ascertain that far too many organisations are struggling with a serious lack of information about the attacks taking place on their network. It was therefore important to implement tools that are able to prevent and detect unauthorised changes and provide an immediate warning when there is any unexpected activity. Point has now replaced its previous solution with Tripwire Enterprise in order to be able to protect customer information relating to credit cards, for example. The solution covers both card payments and e-commerce. There is of course a difference in security issues for payments at card terminals and the payment procedures for e-commerce, says Dimitri Binazzi. Here we are suddenly exposing CHD to risk in a different way than before. With the help of Tripwire Enterprise, however, we are able to introduce additional checks on systems and people, which is something that gives us a good overview of the changes made in the systems, both authorised and unauthorised, in order to minimise the risk of fraud. Chiave a secure key management system In order to further increase the security of the systems, Point has joined forces with Verisec to develop the Chiave system, which monitors the processes controlling the generation, storage and distribution of cryptographic keys. These keys are used to safeguard the identity of credit card holders, ensure the authority of ATMs and POS terminals and protect the information sent over the payment network, among other things. A secure key management system is vital in creating confidence in electronic payments and the system we have now developed sets a new standard in terms of meeting the security requirements of the industry. Chiave replaces manual processes with automatic ones, which reduces both the risk of human error and the risk of interruptions in the payment network, concludes Dimitri Binazzi. 2

3 Finland s leading retailer chooses Point for increased security Point s innovative capability, combined with extensive investment in security, means that it is constantly gaining new customers. One example was when Finland s leading retailer, the Kesko Group, signed a cooperation agreement with Point in Kesko currently has a total of around 2,000 stores in Finland, Sweden, Norway, Estonia, Latvia, Lithuania, Russia and Belarus. The company sells groceries, building materials and home furnishings, as well as vehicle and home electronics. Benjamin von Nandelstadh, Senior Manager, Infrastructure Services at Kesko. A major challenge for the chain came in 2009 when the requirement to comply with the Payment Card Industry Data Security Standard was raised. At the time, Kesko had several different point of sales systems in its chains and the solution it had been using was not PCI-compliant. Like many other Finnish retailers, Kesko also had payment terminals integrated directly in the point of sale. This made it difficult to update the systems quickly and easily. So Kesko went looking for a supplier that could deliver a PCI-compliant payment solution. A strategic decision was then taken to also look for a solution that could be delivered as a service. After surveying the market, the company identified Point as one of the few suppliers that could deliver what they wanted. Payment as a service with superior service package Keskos arguments for choosing Point was based on the fact that Point were considered to be fast and reliable, delivering a user friendly solution. On top of this they had the right service based offering. When we went through the possible suppliers, we found out that Point was one of the few that was able to deliver payment as a service, explains Benjamin von Nandelstadh, Senior Manager, Infrastructure Services at Kesko. Point had a ready-made solution and was one step ahead of its competition in this respect. The rollout began in autumn 2010 and one year later Point s solution was in all of 3

4 the Kesko Group s Finnish stores. In one year, over 5,000 payment terminals was taken into use. The solution comprises payment terminals and a service package, which among other things includes customer support, replacement service and a reporting system. The reporting system provides each retailer with precise statistics on the sales and transactions in their stores. One advantage is that the reporting system is able to follow our corporate structure. Many of our stores are owned by private retailers, which means that we have to be able to get reports at several different levels, continues Benjamin von Nandelstadh. With this new solution, we are able to provide the retailers with precisely the figures they want, broken down to their store level, while at the same time we are able to provide the more central functions with their summary reports. Another major financial advantage is when we negotiate acquirer agreements, as we are able to get a better price for acquirer services with this new centralized solution. Finally, we can confirm that the new payment solution is safe, easy to use and has gotten a lot of positive feedback from our customers as well as our retailers. The next step for Kesko is to implement the new solution in Kesko s other countries. The aim is to complete the rollout during 2012 so that a PCI-compliant solution can be established in all countries by the end of the year and overall security can be increased at Finland s, and one of the Nordic regions, leading retailers. Payment Card Industry Data Security Standard (PCI DSS) is a data security standard that stipulates how card numbers are handled. This security standard has been developed by American Express, Visa International, MasterCard Worldwide, Discover and JCB International. The purpose of the standard is to ensure that everyone who processes, transports, stores or otherwise handles card information does so in such a way as to prevent unauthorised access to the information. The standard consists of 12 general requirements. Among other things, it specifies how a secure network should be constructed and maintained, how card information should be sent and stored and what security procedures a company should have in place. The leading service centre on the market Alongside central payment gateways and IT systems, products are also a priority area for Point s security work. While the company has seen significant growth, there has also been increased demand for better service and repair of payment card terminals. The equipment suffers wear and requires regular repair or other maintenance. Up to now, each country in the Point Group has managed this individually, but now the Group is taking overall control in order to increase the quality of its services. The requirements from payment card companies for secure processing have increased in recent years and will in all likelihood continue to do so in the future. In order to meet these requirements, Point will centralise its service and repair centres in Sweden, as the Swedish service centre has for a long time been the most advanced in the Group. The service centre has developed a well-structured security process based on many years of experience and on the in-depth knowledge the company has of processes, product security, tools, environments and people. The service and repair centre s processes are also designed and structured in accordance with the latest security standards on the market: PCI DSS, PTS, VISA PIN and NIST. The Swedish service centre also trains all technical staff according to above standards. By making these changes, Point will establish the leading service centre on the market, in terms of performing maintenance work in accordance with the most stringent security requirements. The Point Group s service centre Staff with high level of expertise and payment industry compliance. Processes designed and structured according to security standards such as PCI DSS, PTS, VISA PIN and NIST. Market-leading service organisation with services that meet the most stringent requirements on industrial security from the payment sector. 4

5 Experience from Europe s most mature market A company with 800 security staff Point currently has a presence in 11 European countries and is always scanning the market on the lookout for new experiences and skills in the field of security. With over 20 years experience and several major acquisitions behind it, the Group also has access to an extensive range of skills internally. In 2009, the Group acquired UK payment service provider Commidea, bringing experience from perhaps Europe s most modern market. More recently in January 2012, Point was acquired by VerirFone Systems Inc, the global leader in secure payment electronic solutions. We have been using payment cards in Britain since the 1970s and we began using the new EMV standard, which today is in widespread use, a couple of years before our northern European friends, says Paul Holliday, Head of Marketing, VeriFone UK & Ireland. As one of the UK s most experienced companies on the market for electronic payments, we have been able to follow the development of security systems right up to the present day. This, together with the other skills in the VeriFone group of companies, has given us the opportunity to stay one step ahead of our competitors in developing payment solutions of tomorrow. Handles 80 per cent of the UK s contactless payments In 2007, the company was the first UK supplier to offer an integrated contactless payment solution based on NFC technology. The advantage over the competition in this area has been maintained and in 2010, the company processed over 80 per cent of the UK s contactless payments. As a result, the company is currently considered to be the UK s leading supplier of contactless payment solutions. Further evidence of the company s drive came in 2009, with the launch of Ocius Sentinel, the UK s first PCI-compliant point-to-point encryption payment solution. Security has always been the top priority for us, says Paul Holliday, and it is something we have worked on in a number of different ways. One of the more central of these has been security work to help our customers attain and maintain PCI DSS. Security solutions are an integrated part of our range and we can see that customers actively look for these elements when considering payment solution suppliers. EMV (also called Chip & PIN) is an umbrella name for a payment and credit card standard that involves payment and credit cards being equipped with a data chip, among other things to prevent copying ( skimming ). Having secure IT systems and good product handling is not the only thing required in order to deliver secure payments. As technology has developed, criminals have found new ways in. One area that has grown in recent years is the threat linked to Social Engineering. This is not about deceiving IT systems but about tricking users into giving out their password and codes, for example. This is a relatively big problem in Europe, but there have been no major documented cases in Sweden. As a preventive measure, and in order to minimise the risk of this and other threats, Point has trained more than 800 people in the Group s 11 countries. The training aims to create broad expertise in the field of security and therefore covers everything from handling card data and classified information to how to act on the telephone and towards visitors. Training is tailored and adapted for the company s various departments. The training package has also been translated into seven different languages in order to ensure that none of the details are misunderstood. After completing training, staff undergoes a test. If they pass, they are awarded a security certificate and if they fail they must undergo further training before being tested again. Near Field Communication (NFC) is a communication standard for the contactless exchange of data across short distances (typically around 10 cm). This technology aims to create a secure, intuitive and simple communication channel between various electronic devices. For example, you do not need to insert and remove your payment card in a payment card terminal. You just need to hold the card close to the terminal. 5

6