10/05/2005

Shift4 Introduces Tokenization at Security Summit

Las Vegas, NV, October 5, 2005 – To abide by the Card Associations’ current requirement of not storing credit card data, Shift4 has developed a new Tokenization technology which enables merchants and payment application vendors to enjoy the highest level of payment processing security possible without requiring a lot of time, money or resources.

During the recent Transaction Security Summit held September 28 & 29 (2005) in Las Vegas, one thing became abundantly clear: In order for merchants and point-of-sale or property management systems to be secure and pass their certification or validation process, they cannot hold any credit card data after the initial authorization. In fact, in the Card Associations’ new universal security standard it states:

“Keep cardholder information storage to a minimum. Develop a data retention and disposal policy. Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. Do not store sensitive authentication data subsequent to authorization (not even if encrypted).” – Payment Card Industry Data Security Standards (PCI DSS), as seen on www.visa.com/cisp.

The problem is that this information has been historically stored and utilized to enable merchants to perform incremental authorizations on a credit card. For example, this information is used to process tips and tabs in a restaurant environment, enable recurring billing for retail and ecommerce merchants, and is essential to lodging and auto rental merchants who charge multiple items, nights, etc. to a single invoice. So how can a company leverage the same features without the security risk? Shift4 has the answer and they call it Shift4 Tokenization.

So what is Shift4 Tokenization and how does it work? The purchase starts off the same. The merchant swipes the card data and sends it over to Shift4 fully encrypted. Shift4 sends the card data on to the processor and receives back from the processor an approval. All this is the same as it is today; it is after this point where the process differs. Instead of sending back the card data to the merchant and the POS system, Shift4 turns the data into a Token. A Token is a globally unique, randomized representation of credit card data that is 16 characters long. For payment applications and merchants who utilize Shift4, only the Token is stored in the system.

The Token spans the lifetime of the transaction, even into history, so it provides all the same support for tips, tabs and incremental authorizations. Basically, the Token is stored on the POS system and when an incremental authorization is required on the card the Token is sent to Shift4. The Token represents a specific credit card transaction and card data that is stored in Shift4’s data center. When the Token is sent through, Shift4 translates that Token into the card data and sends it to the processor. The processor sends back the authorization code; Shift4 turns it back into a Token and sends that along with the approval code to the merchants. The authorization goes through and again no credit card data is stored on the system. That means that the merchant doesn’t need the card number or data past the initial request, so there is absolutely no reason to store this potentially dangerous information.

The entire liability to protect the card data is now on the gateway, where it should be. Shift4’s gateway, DOLLARS ON THE NET®, has been successfully and securely managing, transporting and storing data for years. It is something that is core to Shift4’s success, but very much out of the realm of the core competencies of merchants and payment applications. The redundant Shift4 data centers are fully compliant with all Card Association regulations, including the Payment Card Industry Data Security Standards. To maintain this compliance, Shift4 undergoes a rigorous annual onsite audit, as well as ongoing network scans, all of which help to assure our customers and our partners that our systems, solutions and data centers are the most secure possible. In fact, the security we have in place meets or surpasses that used by the US ATM networks and that outlined in the National Security Administration’s (NSA) C2 “Orange Book” security standards requirement.

“We developed Tokenization to protect our partners and customers. A fact that is underlined by our decision not to patent this process in hopes of encouraging others to implement what we feel to be a superior method for securing the payment process,” stated J. David Oder, President & CEO of Shift4. “We do realize, however, that some others will not be able to implement this solution. We are able to do this successfully because we don’t change our interface for each processor. We designed and built our system for the largest common factor, not the lowest common denominator.”

While this seems like a great and secure idea, the next logical question is – what will it take to implement? The answer may be surprising. It is a truly small change with big results. Adding on Shift4 Tokenization requires a small change on the POS and PMS side. They need to add an addendum asking for this block and of course they need to store the Token. But even this part is easy. The Token can be stored in the now empty card number field, which is already setup to receive this type of data. Also, because the Token includes the last four digits of the credit card number, all of the POS and PMS system reports will still be fully functional. From a merchant’s point of view, the implementation is seamless. In fact, it can be implemented even when there are pending sales or open tickets remaining. Best of all, the solution is available today and at no additional cost.

“We knew that we needed to create a solution that would insure the security of our merchants payment processing without inundating our POS & PMS partners’ resources”, stated J.D. Oder II, Vice President of Research & Development, Shift4. “Plus, it had to be easy to install. We don’t want the new security regulations to turn into the next Y2K, where the merchants are forced to foot an enormous bill just to meet the basic requirements. We believe that Tokenization accomplishes all these goals – a safe system that is really a simple patch, which can be implemented and installed easily, even in legacy systems.”

About Shift4 Corporation