Case Study: Small Retailers are Going Bigger When it comes to Payments Security
By George Rice, Director of payments for HPE Security at Hewlett Packard Enterprise
Data breaches are damaging for every company that suffers them, no matter the size. Unlike their larger peers, however, small businesses frequently aren’t given the chance to recover from the financial and reputational impact of a breach. According to a report from The New York Times, sixty percent of all online attacks in 2014 targeted small and mid-size businesses.1 That same year it was found that nearly three-quarters of companies that “suffer major data loss” shut down within 24 months.
Combating cyber criminals can be tough for businesses that lack the technical and budgetary resources of a large enterprise. Partners with the expertise and perspective to support the unique needs of small businesses can be few and far between. Epicor Software Corporation is one such partner. It was founded to serve just these types of businesses, and today the company supplies state-of-the-art enterprise resource planning (ERP) solutions to small and mid-sized retailers in North America.
This includes everything from payments and finance systems, to merchandise sourcing and inventory management, to business intelligence and cross-selling in-store, online, or on mobile apps. In 2015, enterprise-grade security from Hewlett Packard Enterprise (HPE) joined the list of options available to the 5,000-plus Epicor retail customers.
Epicor considered a wide range of approaches to data security before settling on HPE SecureData Payments, including implementing alternate gateways or its own internal data encryption, as well as investigating commercial offerings from vendors such as TransArmor and Bluefin. HPE’s Secure Stateless Tokenization (SST) and Format-Preserving Encryption (FPE) proved to be the difference, providing Epicor and its retail clients’ full end-to-end protection from the point of sale (POS) terminal all the way through the payments lifecycle.
“When we took a close look at HPE SecureData Payments, we liked what we saw,” says Matt Mullen, vice president of strategy and product at Epicor. “It was already used by other top retailers in the space where we compete, and HPE SecureData Payments offers a deployment framework that allowed us to bring our data security solution to market in a very easy and affordable manner.”
The initial implementation was finished in just seven weeks and was seamlessly integrated into Epicor’s systems. Today, Epicor hosts the software in its cloud-based payments gateway, which, in turn, is hosted by Amazon Web Services (AWS) across six fully redundant AWS availability zones in three different regions. Security and resiliency is built in to the approach, ensuring exceptional protection from breaches and down-time.
This multi-tenant, multisite gateway handles the full roster of tenants identically, with all six availability zones providing instant backup for each other. That way, if one site goes down, the other five pick up the slack and continue processing payments. HPE SecureData Payments plugged into the environment without much customization, a key factor in Epicor’s choosing it as the go-to security mechanism for guarding sensitive transactions at the POS.
“We also wanted to make data security as seamless as possible for our customers to adopt. HPE Format-Preserving Encryption was critical to meeting that objective,” says Bill Wilson, senior vice president of product development at Epicor. “It allowed us to introduce data security into our existing systems without any major software changes. For our customers, everything still works the same as it always did. Except now there’s a solution that’s designed to fully secure their data in transit from the POS through the backend servers.”
Mullen agrees, noting that HPE’s Format-Preserving Encryption — which effectively guards data without changing the core file where sensitive information is stored — required no reprogramming of the Epicor system.
“It allowed us to launch our new security offering well in advance of market expectations. That was extremely beneficial to Epicor and our customers. After all, the faster you put the lock on the door, the sooner you can protect your valuables,” Mullen says.
In this case, the “lock” was point-to-point data encryption. This ensures that credit card data is not exposed at any point in the life of an Epicor-processed transaction.
“By tokenizing card numbers immediately at the point of purchase, we’ve gone beyond PCI compliance to actually eliminating clear data from the transaction process,” Wilson says.
Mullen adds that “even if someone sneaks in to take data, there’s nothing useful to them.” Customers loved hearing that message, especially retailers whose reputation could be seriously affected by a data breach. Ace Hardware, a longtime customer, recommended that all its store owners add the HPE SecureData option to their Epicor environment.
“The sell-through for us was staggering,” says Mullen. “Among our 5,000 retail customers, typical sell-through of a new product is 10 percent, or about 500 units, over 12 months. When we launched our secure payments solution, we sold 1,100 units in the first three months — far beyond our expectations.”
Businesses of all sizes bought. From Ace superstores to family-owned neighborhood shops that had been around for multiple generations.
“Before, they felt pretty defenseless,” Wilson says. “But now they get both reduced risk of a data breach and the peace of mind that comes from knowing they have a robust solution to help protect their business.”
George Rice is director of payments for HPE Security at Hewlett Packard Enterprise. He works with merchant acquirers and large retailers on data security, and leads HPE’s presence among organizations such as the PCI Council, EMVCO and the ETA.
Other Point of Sale news of interest: