How Thales HSMs Helped a Payment Service Provider Deliver The Security They Needed To Rollout a New Mobile Payment Product
The Goal: To Bring The Highest Standards of Security To Mobile Point-of-Sale (mPOS) Technology
CreditCall, a leading payment gateway service provider, saw a huge opportunity to reach a new market with an innovative, mobile point-ofsale (POS) credit card payment technology. In years past, it was difficult for certain types of merchants to utilize mobile POS systems. The technology was expensive – smaller merchants often couldn’t afford the costs or want the long term contractual commitments. Traditional POS equipment requires a physical network connection meaning merchants who provided products or services away from an office or retail location were forced to either operate on a cash basis, missing out on the convenience and security that credit card payments offered, or rent expensive and bulky GPRS terminals. With the enormous popularity of mobile devices, CreditCall envisioned an opportunity to bring face-to-face card payment solutions to a whole new category of smaller businesses and micro-merchants by incorporating portable, low cost card reader devices that could connect wirelessly via (merchant-owned) tablets and smartphones to remote payment gateways. Mobile businesses like gardeners, plumbers and electricians could now accept credit card payments on-site at their customers’ homes. This solution now stands to replace conventional POS systems in certain environments, with low cost readers and mobile device-based application software. This significantly reduces cost and complexity, paving the way for widespread adoption by all types of merchants, not just micro-merchants.
The CreditCall team began to develop mobile POS technology they could sell as a white label solution to banks, acquirers, payment processors and mobile network operators (MNOs), who could in turn sell the products and associated services to their merchant customers. But while the opportunity was significant, the CreditCall team knew security would be the primary challenge. Mobile devices are inherently insecure. If the customer’s credit card information was present in a smartphone or tablet, it would be much more vulnerable to malware, Trojans, backdoors, memory scraping and other advanced malicious threats than a traditional POS terminal. For their banking and financial clients to buy-in to the new mobile POS business model, CreditCall would have to ensure the highest levels of security could be achieved.
Benefits For Payment Service Providers (PSPs):
- Increase transaction volume and revenue by enabling a broader community of merchants to accept card payments in a highly secure manner with low onboarding costs
- Minimize installation costs by using HSMs to secure the remote key injection process for the card readers, eliminating costly pre-personalization at the factory or manual installation on site at the merchant
- Reduce cost to scale internationally by enabling additional data centers and merchant terminals to be managed remotely from a central location using a flexible pool HSMs
- Accelerate implementation projects with HSMs that are pre-qualified to integrate with products from leading card reader vendors
Benefits for Merchants:
- Move the merchant environment out of scope for PCI DSS compliance by ensuring that all sensitive data is encrypted using proven and certified hardware-based techniques
- Facilitate payment acceptance anytime and anywhere through a flexible, low cost and secure card-based solution, supporting the strongest EMV standards
- Reduce certification costs by eliminating the need for the merchant mobile device (smart phone or tablet) to undergo any independent security certification
- Minimize staff and customer training costs by delivering the same cardholder experience as traditional chip and PIN based POS terminals
The Solution: Point-to-Point Encryption and Thales HSMs
The CreditCall team integrated card readers certified to the PCI SRED (secure reading and exchange of data) standard together with Thales payShield 9000 hardware security modules (HSMs) to enable a point-topoint-encryption (P2PE) zone to be established between the card acceptance point and the internet-based payment gateway. As the emerging preferred approach to providing strong hardware-based encryption of sensitive payment data in POS payment environments, the P2PE process encrypts data inside the secure card reader and protects it as it flows through the merchants’ system and into the payment processing chain. By encrypting the data before it enters the merchant smart phone or tablet device (and ensuring there is no means for the device to decrypt the data), there is no requirement for security certification of the smart phone or tablet, significantly reducing complexity, costs and time to market. CreditCall was able therefore to satisfy their clients’ security requirements and protect customer personal and credit card information from potential attacks in a highly efficient and secure manner.
Thales payShield 9000 HSMs were a critical component in securing the CreditCall CardEase Mobile solution. Designed specifically for the payment industry, payShield 9000 HSMs combine state-of-theart security and operational ease. They are deployed as an external peripheral for devices running card issuing and payment processing applications, with a long history of delivering high assurance protection for Automated Teller Machine (ATM) and Point of Sale (POS) credit and debit card transactions. In fact, approximately 80% of all payment card transactions worldwide run through a payShield HSM. These devices are involved in protecting and validating PINs, processing transactions, issuing payment cards and managing keys.
CreditCall chose Thales HSMS for two overriding reasons. The first was reputation – CreditCall knew their banking and payment processing customers would require a solution that was recognized industry-wide as a proven and reliable security solution, and Thales fit the bill. But even more importantly, CreditCall chose Thales because payShield provided more robust protection and management of encryption keys than competitive solutions. Proper key management is critical to securing customer data in a P2PE solution, both to defend against malicious external data extraction threats and to protect against compromise by a malicious insider. With robust role-based access controls, tamper-resistant security and easy-to-use management capabilities, Thales HSMs offered CreditCall the highest level of security in the industry.
Reduce Scope for PCI DSS Compliance
Complying with payment card industry data security standards (PCI DSS) can be a costly and time-consuming endeavor for any business. Thales HSMs can help reduce the cost and burden of compliance by significantly reducing a merchant’s scope of PCI DSS compliance. If a P2PE process is implemented correctly and account data is encrypted within a secure capture device using keys protected by Thales HSMs, a merchant will benefit from being taken out of scope for PCI DSS compliance for their mPOS solution. Strict controls for protection of and access to decryption keys must be in place; in fact, the PCI P2PE Solution Requirements and Testing Procedures requires the use of HSMs with an appropriate security rating to protect access to those keys. Thales HSMs fulfill this requirement and can play an essential role in implementing a P2PE strategy to reduce the scope and cost of compliance.
Benefits of PayShield 9000
- Delivers comprehensive, certified security specially designed for card issuing and payment processing
- Provides off-the-shelf support for all major payment applications
- Maximizes business continuity with redundant hardware, field serviceable components, and support for clustering and failover
- Streamlines deployment and maintenance and reduces the cost of compliance with a choice of software options tailored for issuers, processors, and acquirers
- Offers a range of scalable, high-performance models, so you pay only for the capacity you need
Jeremy Gumbley, Chief Technology Officer, CreditCall says:
“I see hardware solutions as being pivotal in making security viable in mobile environments. You need to be able to police and control your encryption keys independently from the rest of your infrastructure and know that those keys are not ever going to come out of that device. I see hardware as being essential as there is no really good way of doing this without hardware.”
Thales payShield 9000 HSMs
The Thales payShield 9000 HSM provides a payment system certified method for remotely deploying the cryptographic keys required by secure capture devices such as the Miura Shuttle for PIN and data encryption and to perform the secure decryption of payment transaction data prior to onward transmission to the acquirer. Where online PINs are used, the HSM additionally facilitates a secure PIN translation process to enable issuers to validate the PIN entered at the secure capture device. This gives Payment Service Providers (PSPs) an off-the-shelf, proven solution that can help small merchants accept card payments in a cost-effective manner.