To abide by the Card Associations'
current requirement of not storing credit card data, Shift4 has developed a
new Tokenization technology which enables merchants and payment application
vendors to enjoy the highest level of payment processing security possible
without requiring a lot of time, money or resources.
During the recent Transaction Security Summit held September 28 & 29 in
Las Vegas, one thing became abundantly clear: In order for merchants and
point-of-sale or property management systems to be secure and pass their
certification or validation process, they cannot hold any credit card data
after the initial authorization. In fact, in the Card Associations' new
universal security standard it states:
"Keep cardholder information storage to a minimum. Develop a data
retention and disposal policy. Limit your storage amount and retention time
to that which is required for business, legal, and/or regulatory purposes, as
documented in the data retention policy. Do not store sensitive
authentication data subsequent to authorization (not even if encrypted)."
-- Payment Card Industry Data Security Standards (PCI DSS), as seen on
http://www.visa.com/cisp
The problem is that this information has been historically stored and
utilized to enable merchants to perform incremental authorizations on a credit
card. For example, this information is used to process tips and tabs in a
restaurant environment, enable recurring billing for retail and ecommerce
merchants, and is essential to lodging and auto rental merchants who charge
multiple items, nights, etc. to a single invoice. So how can a company
leverage the same features without the security risk? Shift4 has the answer
and they call it Shift4 Tokenization.
So what is Shift4 Tokenization and how does it work? The purchase starts
off the same. The merchant swipes the card data and sends it over to Shift4
fully encrypted. Shift4 sends the card data on to the processor and receives
back from the processor an approval. All this is the same as it is today; it
is after this point where the process differs. Instead of sending back the
card data to the merchant and the POS system, Shift4 turns the data into a
Token. A Token is a globally unique, randomized representation of credit card
data that is 16 characters long. For payment applications and merchants who
utilize Shift4, only the Token is stored in the system.
The Token spans the lifetime of the transaction, even into history, so it
provides all the same support for tips, tabs and incremental authorizations.
Basically, the Token is stored on the POS system and when an incremental
authorization is required on the card the Token is sent to Shift4. The Token
represents a specific credit card transaction and card data that is stored in
Shift4's data center. When the Token is sent through, Shift4 translates that
Token into the card data and sends it to the processor. The processor sends
back the authorization code; Shift4 turns it back into a Token and sends that
along with the approval code to the merchants. The authorization goes through
and again no credit card data is stored on the system. That means that the
merchant doesn't need the card number or data past the initial request, so
there is absolutely no reason to store this potentially dangerous information.
The entire liability to protect the card data is now on the gateway, where
it should be. Shift4's gateway, $$$ ON THE NET(R), has been successfully and
securely managing, transporting and storing data for years. It is something
that is core to Shift4's success, but very much out of the realm of the core
competencies of merchants and payment applications. The redundant Shift4 data
centers are fully compliant with all Card Association regulations, including
the Payment Card Industry Data Security Standards. To maintain this
compliance, Shift4 undergoes a rigorous annual onsite audit, as well as
ongoing network scans, all of which help to assure our customers and our
partners that are systems, solutions and data centers are the most secure
possible. In fact, the security we have in place meets or surpasses that used
by the US ATM networks and that outlined in the National Security
Administration's (NSA) C2 "Orange Book" security standards requirement.
"We developed Tokenization to protect our partners and customers. A fact
that is underlined by our decision not to patent this process in hopes of
encouraging others to implement what we feel to be a superior method for
securing the payment process," stated J. David Oder, President & CEO of
Shift4. "We do realize, however, that some others will not be able to
implement this solution. We are able to do this successfully because we don't
change our interface for each processor. We designed and built our system for
the largest common factor, not the lowest common denominator."
While this seems like a great and secure idea, the next logical question
is -- what will it take to implement? The answer may be surprising. It is a
truly small change with big results. Adding on Shift4 Tokenization requires a
small change on the POS and PMS side. They need to add an addendum asking for
this block and of course they need to store the Token. But even this part is
easy. The Token can be stored in the now empty card number field, which is
already setup to receive this type of data. Also, because the Token includes
the last four digits of the credit card number, all of the POS and PMS system
reports will still be fully functional. From a merchant's point of view, the
implementation is seamless. In fact, it can be implemented even when there
are pending sales or open tickets remaining. Best of all, the solution is
available today and at no additional cost.
"We knew that we needed to create a solution that would insure the
security of our merchants payment processing without inundating our POS & PMS
partners' resources," stated J.D. Oder II, Vice President of Research &
Development, Shift4. "Plus, it had to be easy to install. We don't want the
new security regulations to turn into the next Y2K, where the merchants are
forced to foot an enormous bill just to meet the basic requirements. We
believe that Tokenization accomplishes all these goals -- a safe system that
is really a simple patch, which can be implemented and installed easily, even
in legacy systems."

About Shift4 Corporation
Shift4, a leading developer of financial transaction processing software
and services, provides web-based, real-time enterprise payment solutions for
leaders in the hospitality, retail, foodservices and e-commerce markets.
Through connectivity to most major processors, $$$ ON THE NET provides both
high speed and low cost authorizations and settlements for credit, debit,
check, private label and gift card transactions. $$$ ON THE NET also includes
the ability to access, review and edit transactions prior to settlement, as
well as a searchable, 24-month archive of transactions for reporting and
charge back defense. For more information contact Shift4 at (702) 597-2480 or
visit Shift4 online at http://www.shift4.com.