When it comes to encrypting credit card numbers to meet PCI security regulations and prevent data breaches, point of sale (POS) vendors selling payment application software often implement encryption key management that is cobbled together and doesn’t meet best practices. For POS vendors who supply retail businesses with complete cash register systems, including POS terminals and payment application software, inadequate key management solutions leave retailers vulnerable to data breaches.
Although all POS vendors must certify their payment application software under the PA-DSS standard, many vendors skate by with poor encryption and encryption key management that has been thrown together to meet the bare minimum requirements.
Although their vendors have passed the test, retailers are still experiencing some of the largest data breaches because their POS vendors don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data.
At the end of the day, individual businesses are responsible for their own data security; however, POS vendors offering payment application software can boost their own security posture and protect their own reputation by offering better encryption key management for credit card numbers to their customers. Database administrators and information security officers in retail companies can ease their fear and anxiety about their POS solutions. They can rest easy if their POS vendor provides a FIPS-certified encryption and key management solution with these three advantages:
1. Encryption Key Management that is Easy to Use - Good encryption key management should be easy to install, configure, evaluate, license, and sell to end users. Townsend Security’s 1U server plugs right into your IT infrastructure and requires no on-site technician to install. Our cross-platform encryption key management HSM integrates seamlessly into Microsoft, IBM i, Linux and other legacy platforms. Our team provides training, OEM integration, NIST and FIPS certifications, marketing materials, and consistent back end support as well as sample code, binary libraries, applications, key retrieval and other tools you and your customers need to implement encryption and key management fast and easily.
2. Encryption Key Management that is Cost Effective - Small and mid-sized retailers are a growing target of hackers due to the fact that these companies tend to have less data security. These companies, however, need to secure their sensitive data and must meet compliance regulations just like larger businesses do. We strongly believe that cost should not be a barrier to any business. Townsend security offers cost-effective licensing and easy deployment for seamless integration in less time and at an affordable price. We also offer OEM and “white label” options to save time and pain around branding. The average data breach costs a company $5.5 million. With better encryption and key management, you can save your customers millions of dollars.
3. Encryption Key Management that Protects Your Company in the Event of a Breach - In today’s technology climate, data breaches are no longer a matter of “if,” but “when.” Even the strongest networks can be hacked. The only way to secure data is to encrypt the data itself, thereby making it unreadable and unusable to unauthorized users. However, the encrypted data is only as safe as the encryption keys! In the retail industry, the responsibility of a data breach will fall on the retail company that experienced the breach, as well as the POS and software vendors. If a breach occurs to one of your customers, encryption key management will protect your customers and protect your own organization as well.
Almost every single POS vendor offers encryption and key management for their payment applications, but not every POS vendor does the job right. In these cases, a retailer may pass a PCI audit but still be vulnerable to a data breach. With a NIST-certified OEM encryption key management solution, a POS vendor can offer retail customers the best data security available and generate new revenue with that offer.
The last thing a POS vendor wants is a data security plan that looks good on paper but doesn’t deliver when the going gets tough. The good news is that the right tools are easily available to companies who want to not only meet, but exceed compliance and prepare for evolving data security standards. “Good security breeds good compliance and not the other way around -- compliance is the low bar,” says Mark Seward, senior director of security and compliance for Splunk. With a Townsend Security partnership, POS vendors can offer their customers industry standard and NIST/FIPS certified solutions by implementing an OEM encryption key manager that is customized for their specific applications.