The logo of Ingenico SA

Ingenico has announced a partnership with PayPal which will enable merchants with Ingenico POS devices to accept PayPal payment options, read the press release here.

Ingenico and PayPal have each made statements on the relationship:

“Today’s savvy shoppers want the option to choose how they pay for goods and are agile enough to easily switch between multi-shopping platforms. Our goal, as one of the key POS device and solutions providers, is to equip merchants with a versatile secure platform capable of accepting and handling diverse forms of payment,” said Thierry Denis, president of Ingenico North America. “By working with PayPal to bring their payment solutions to offline retail, we will naturally empower both the merchant, by providing a better way to connect with its shoppers to generate incremental sales, and the shoppers by adding speed and convenience at the checkout combined with expanded payment options. This relationship enables us to offer the most advanced solution for today’s practical shopper”

“PayPal’s vision for the future of shopping includes people making purchases anytime, anywhere and over any device. Ingenico is helping PayPal realize this vision by putting PayPal in stores and at the point of sale,” said Don Kingsborough, vice president of retail and pre-paid products. “Millions of PayPal users will soon have several innovative ways to make purchases at many of their favorite retailers, including using Ingenico terminals to swipe their PayPal payment cards or to enter the mobile phone number and pin associated with their PayPal accounts.”

Walt Conway a prominent QSA and manager at 403Labs commented:

The first question is, if a PayPal card triggers a transaction on an underlying Visa or MasterCard, might that PayPal account be considered a “high-value token” and, therefore, be in scope for PCI? The follow-up question is, if the PayPal account is in scope, is it necessarily a big deal?

I read the piece about Home Depot letting shoppers pay in-store using PayPal:

“On the payment front, this is also a test of Home Depot accepting a rectangular magstripe card that doesn’t say MasterCard, Visa, American Express, Discover or Home Depot on it.”

Separately, I saw where Ingenico launched a new PayPal offering. It enables PayPal users to make retail purchases (using Ingenico terminals, of course) by swiping their PayPal payment cards or entering the mobile phone number and PayPal PIN. Because many (although not all) PayPal accounts are tied to an underlying payment card, which is in scope for PCI, and because using such a PayPal account ultimately triggers a payment-card transaction, would PayPal in this case fit the PCI Council’s definition of a high-value token?

A high-value token is a new concept the PCI Council introduced and defined in its PCI DSS Tokenization Guidelines. Specifically, the Council defines a high-value token as one that “could potentially be ‘monetized’ or used to generate fraudulent transactions.” The guidance goes on to say: “Additionally, tokens that can be used to initiate a transaction might be in scope for PCI DSS, even if they cannot directly be used to retrieve PAN or other cardholder data.”

PayPal accounts were not designed to be tokens. However, because a stolen or compromised PayPal account could be used to generate fraudulent transactions, that PayPal account appears to act like not just any old token but a high-value token. The PCI Council states that high-value tokens may be in scope for PCI and, at the least, they require “additional controls in place to detect and prevent attempted fraudulent activities.”

Let’s move on to the second question. If a retailer (or its acquirer or QSA) considers PayPal accounts to be high-value tokens, does it matter? For many merchants, the PayPal transactions will use the same devices, networks and procedures that are already in scope for PCI.

Therefore, there might be no significant impact of PayPal acceptance for a retailer with a PCI-compliant POS system. Things might get complicated when the merchant stores the cardholder data, in which case the PayPal account information may expand the scope of data to be protected.

Thank you Walt for permission to use your excellent work.

Can Tokenization help to reduce the risk of fraud involving Credit Cards?

When it comes to protecting sensitive data, especially credit card data, an organisation needs protection in place because it is a constant battle against a variety of attacks with the two greatest foes being:

  • Social Engineering (e.g. preying on employees or customers)
  • Technology (hackers, viruses, etc.)

Social Engineering can be addressed by implementing regular training, professional management and monitoring, but Technology is a different story.

Technology is an on-going battle with thousands of new attacks being developed every week, e.g. viruses, Trojans, code breaches (e.g. SQL injections), etc.

New attack vectors require new defences, just like in fencing as one fencer makes a move the other needs to counter.

Security moves and counter moves cost time and money, especially when you consider that potential weakness could be in any device on the network e.g. phone systems, servers, BYOD, printers, etc. In a flat or non-segmented network one breached device could potentially lead to the breaching of all devices.

If multiple devices and applications require access to credit card data, e.g. CRM and Customer billing, the scope of risk is far greater which is why reducing the scope of the risk is so important.

Tokenization can dramatically reduce the scope by changing credit card data, and other sensitive information, into usable data that contains no Personally Identifiable Information (PII) or Credit Card data. The original data is then stored in a “data vault” which has strong encryption wrapped around it.

For some companies Tokenization has reduced the risk-points from several dozen to one and if placed in the “cloud” could place the organisations technology and infrastructure out of PCI DSS’s scope.

For details on reducing the scope of PCI DSS see my other post Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data

For a copy of the guide “Tokenization for Dummies” click here.