September 15, 2009

Industry Adopts Card Information Replacement Technology

Las Vegas, Nevada (September 15, 2009) – Shift4 Corporation, a leading developer of enterprise payment solutions, reports strong increase in merchant demand for Card Information Replacement Technologysm (CIRT). Shift4’s DOLLARS ON THE NET™ payment gateway is fully integrated with CIRT to deliver fast, reliable and secure electronic transactions for merchants of all sizes while greatly simplifying PCI Compliance.

“Shift4 is pleased and encouraged to see others in the payments industry introducing new technologies that may hold the promise of protecting cardholder data (CHD) throughout the entire transaction lifecycle.  The market is showing strong demand for technologies that remove sensitive cardholder data from the merchant’s payment system and replace it with something that merely represents the real numbers.  At this critical point in the vetting of these new technologies, it is essential that merchants seek out and understand the differences between true tokenization and other offerings, which may be called tokenization but are in fact, encryption.  Shift4 has been providing true tokenization to our merchants since 2005,” said Dave Oder, President and CEO, Shift4 Corporation.

Card Information Replacement Technologies from Shift4 include: 4Go SafeSwipe™, i4Go™, and Tokenization. These offerings safeguard the merchant payment environment by removing and replacing sensitive CHD from the payment process before it enters the Point-of-Sale (POS) system, Property Management System (PMS), or in the world of the Internet, the merchant’s site or hosting provider’s environment.  CIRT simplifies the process of securing sensitive information by preventing it from being stored, processed, or transmitted in the merchant environment, which greatly reduces the cost and complexity of Payment Card Industry (PCI) compliance.  Essentially, merchants utilizing CIRT are much more likely to be able to achieve and maintain a state of PCI compliance while concurrently removing all cardholder data from their payment environment.

“As the industry continues to acknowledge and adopt technologies that address Real Security issues, it is important to understand the differences between true tokenization and offerings that are tokenization in name only.  There are a lot of adaptations that use the name only but are, in fact, various encryption key handlers, hashing schemes, and ‘at-once’ transaction schemes.  Many of the new end-to-end encryption schemes limit merchants’ choices regarding which bank or processor they will be able to work with.  By working with Shift4, merchants retain the power of choice and can work with any bank or processor they see as most beneficial to their business,” said Steve Sommers, Senior Vice President, Applications Development, Shift4 Corporation.

Tokenization was defined for the first time in the Payment Industry in 2005 at a Security Conference in Las Vegas, Nevada.  Shift4’s tokenization replaces a card number with a randomly generated unique alphanumeric value that represents the card information for a particular transaction and merchant, used mostly, but not exclusively, for post authorization data retention.  In some tokenization in name only adaptations, which use keys or partial keys, a key being compromised would have to be reported as a breach.  Since, by definition, Shift4 tokens are not CHD and there are no keys associated with the true token, they have no value if stolen and do not need to be protected under PCI rules.

The power of the true tokenization is the token provider’s system.  The system must be robust and feature rich to provide the merchant with all the capability they would have if they had retained the card number, including reporting, retrieval, and chargeback defense.  Shift4’s token is not a key, a partial key, a hash, or any 1-to-1 relationship with a card number and can be stored up to 24 months or as long as the merchant’s retention period dictates.  This way, the token can be used in any check-in/check-out scenario like hotel and auto-rental, a book and ship scenario of Mail-Order/Telephone-Order (MOTO) and eCommerce, or other scenarios such as “card-on-file” and recurring billing scenarios.