Townsend Security Data Privacy Blog

If you’re an independent software vendor (ISV) who sells payment applications to retailers, what does it mean when your payment application meets PCI standards, but doesn’t actually protect your customers? A lot of people out there, especially consumers, wouldn’t even think the security of the software that handles their credit card data is an issue. Many people don’t realize that there’s a huge problem with data security in point-of-sale (POS) and retail software applications. However, time and time again we see major data breaches occurring through cash register systems that process credit card data, which invariably means that those systems aren’t adequately protecting consumer data.

The problem with data security in payment applications arises when retail ISVs and POS vendors certify their payment applications with the Payment Card Industry Security Standards Council (PCI-SSC). The PCI-SSC requires that these businesses use strong encryption and encryption key management in their payment applications. Although most payment application vendors incorporate encryption and encryption key management into their solutions, many of them do it poorly, skating by with the minimum requirements. In the end, their applications pass certifications but would not protect their customers--or themselves--in the event of a data breach.

And data breaches are happening every day! Today data breaches are considered a matter of “when,” not “if.” It is almost a certainty that it is only a matter of time before a data breach affects one of your customers.

Unfortunately, encryption and encryption key management are complicated tools for ISVs to build on their own--in fact, doing a “home grown” encryption project is almost never recommended by encryption experts. Because many ISVs don’t have the resources to create their own encryption and encryption key management, Townsend Security offers an encryption key management solution that retail ISVs and POS vendors can integrate into their applications to provide their customers with industry standard, certified data security solutions.

We recently published an eBook titled, “Overcoming Critical Security Issues - a Guide to Proper Encryption Key Management,” for POS vendors and Retail ISVs. Read an excerpt written by Townsend Security Founder and CEO Patrick Townsend and download the eBook now:

“Merchants are very worried about data breaches and the potential effect of a breach on their business. The average data breach costs a company $5.5 million, which includes the cost of fines as well as the costs associated with lost business, litigation, and brand damage. A successful exploit of poor data security can destroy years of work building brand reputation. Smaller businesses may never fully recover from a well-publicized data breach. Payment application vendors with poor encryption and key management are subjecting not only their customers to these risks, but themselves as well.”

Good encryption and key management for credit card numbers will also give payment application vendors an advantage over their competitors. PCI standards are not set in stone; data security is constantly evolving to meet new challenges and threats. CEOs and Product Managers in the payment application industry should be having a high-level discussion about data security. Now is the time to move to a second generation data security strategy for protecting customer credit card information. You need a solution that doesn’t just look good on paper, but will protect you and your customers in the event of a breach.”

To read more, download the eBook now.

Today there are hundreds of independent software vendors (ISVs) selling niche retail management software and payment applications designed specifically for various types of businesses. All of these retail ISVs must certify all payment applications that process credit card data with the payment card industry (PCI) payment application data security standard (PA-DSS). This certification verifies that the software handling customer credit and debit card information encrypts the software and protects the encryption keys.

Although all retail ISVs must certify their payment application software under the PA-DSS standard, many vendors skate by with poor encryption and encryption key management that has been thrown together to meet the bare minimum requirements. Good encryption and key management is the cornerstone of good security. When retail ISVs don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data, they leave  their customers vulnerable to data breaches.

In order to protect customers, retail management software vendors can upgrade their encryption and key management solutions. Townsend Security offers industry standard AES encryption and certified key management that ease the burden of data security with these three features:

1. Reduced Cost and Complexity

Getting a new encryption key management project off the ground is difficult when you have to justify doing the project over again. Encryption key Management has a reputation for being both costly and difficult, which is partly the reason why many encryption key management projects are rushed through certifications using the bare minimum requirements. That reputation was accurate ten years ago, but today certified encryption key management using best practices can be achieved quickly, easily, and at an affordable price. We help businesses achieve this by offering encryption key management that is easy and fast to deploy, has an easy and cost effective licensing model, and has OEM or “white label” options because we don’t believe issues around branding should get in the way of good data security.

2. Certifications

We supply NIST and FIPS 140-2 certified encryption and key management, or we’ll help you achieve FIPS certifications for your solution. Retailers, especially at the enterprise level, are becoming more and more savvy about the need for certified solutions, and their demand is increasing. NIST and FIPS certifications ensure that their encryption key management has been tested against government standards and will stand up to scrutiny in the event of a breach.

3. Protect Your Customers from Data Breaches

As we see time and time again in the news, retailers still experience data breaches through their payment application software, despite the fact that these applications have a PA-DSS certification. This tells us that certifications don’t always equal good security. In order to protect your customers from a data breach, you must not only meet these certifications, but also build a security solution that will truly protect data at rest and in transit using industry best practices. If your customer experiences a data breach, and you have implemented adequate security that renders the data that was compromised unreadable, you will be not only your customer’s hero, but your own company’s hero as well.

Retail ISVs and payment application software companies also need to know that although they  have certified their solutions with PA-DSS, these standards, like all PCI standards, are not set in stone. Data security is constantly evolving to meet the challenges of new threats that are always surfacing. Retail ISVs need to be aware that just because their solution has been certified, their encryption and key management practices might not suffice during their next certification.

Townsend Security has redefined what it means to partner with a security company. With our NIST and FIPS certified encryption and key management solutions, retail ISVs can offer easy and affordable industry standard data security. Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model. We’ll help you turn encryption and key management into a revenue generating option to help build your business and protect your valued customers.