If you’re in the point-of-sale business, as Moneris Solutions is, the busiest day of the year for transactions is usually going to be the Friday before Christmas – not Black Friday or Boxing Day. The exception might be when Christmas falls on a Saturday and the Friday before Christmas is Christmas Eve, Dec. 24. In that case, the Friday is falling too close to Christmas to be the busiest day of the year for point-of-sale vendors. While you get last-minute shoppers Christmas Eve, many stores, at least the ones not owned-and-operated by proprietors named Ebenezer, are thinking about closing by mid-afternoon or shortly after Christmas Eve.
The reason the Friday before Christmas is the biggest bonanza of the year for debit and credit processors, is the huge volume of sales, not so much in high-end items such as big screen TV’s, which dominate Black Friday and Boxing Day sales, but rather smaller items such as groceries and liquor, that rack up record numbers for the year.
In the Maritimes, Moneris Solutions is located in the old red brick historic Atlantic Wholesalers building at 2 Charlotte St. in Sackville, New Brunswick. I always marvelled at how I could walk into the lunchroom at Moneris in the remodeled red brick building, and pick up a hard copy of the Harvard Business Review off a shelf to read at lunch, or maybe chat over lunch with a fraud detection specialist about things like the language of a purchaser one of our merchants was dealing with half-way around the world being different from the primary language spoken in the location where the true IP is registered, etc., raising red flags for us.
Moneris was a very different world than journalism, but not uninteresting by any means. I met a number of very bright and talented people at Moneris. Mind you, working in a business that is very much built on proprietary data where you couldn’t leave your computer without doing a “lock-and-walk,” took some getting used to. Documents had to be turned face down when you went away from your desk because there could be non-employee contractors or visitors in the building, although I can’t recall them letting many visitors in. Documents had to be paper shredded at the end of every shift. Perhaps something like working on Area 51 or at Groom Lake, Nevada, I remember speculating to myself at the time.
My favourite story from that line of work was having a food and beverage manager from the Calgary Saddledome (now known as the Scotiabank Saddledome) call me at Moneris in Sackville because one of his concession clerks the night before at a Calgary Flames NHL hockey game had sold a fan a hot dog or something for $7 (in 2005-06) and the customer had paid by debit card.
The transaction had gone through not as $7 but $70,000 – immediately, of course, out of the customer’s bank account, courtesy of our Moneris point-of-sale (POS) hand-held terminal device.
Too many zeroes punched in, I guess. The manager was totally beside himself, desperate to refund the customer and credit his bank account before he found out about the mistake. It would have been a lot simpler, of course, if he had paid with a credit card, not a debit card, because you wouldn’t need the credit cardholder physically present with their card to do the refund, unlike a debit card. Although even a credit refund for $70,000 wouldn’t be that simple given the staggering sum.
I remember the manager asking me how it could possibly have been approved on our end and gone through and telling him presumably the customer had the $70,000 in the bank account linked to his debit card, and the bank had obviously not imposed a daily withdrawal limit for him, like most customer have. The poor manager said, “I’m not even sure I could get a mortgage right now for $70,000, much less buy something on my debit card for that amount.” I told him maybe do a quick refresher with his clerk on punching in numbers on the Moneris terminal keypad a bit more slowly.
Things like proximity or prox contactless cards with RFID (radio frequency identification) embedded chips, copper antenna coil, and capacitor, with each chip-card storing a unique binary number, were just arriving on the Canadian retail scene, while tokenization, which dated back to 1976 in the payment card industry (PCI), was also starting to make a real mark by 2005.
Tokenization is the concept of using a non-decryptable piece of data to represent, by reference, sensitive or secret data. In the payment card industry context, tokens are used to reference cardholder data that is managed in a tokenization system, application or off-site secure facility.
To protect data over its full life cycle, tokenization is often combined with end-to-end encryption to secure data in transit to the tokenization system or service, with a token replacing the original data on return. For example, to avoid the risks of malware stealing data from low-trust systems such as point of sale (POS) systems, as in the Target breach of 2013, cardholder data encryption must take place prior to card data entering the POS and not after. Encryption takes place within the confines of a security hardened and validated card reading device and data remains encrypted until received by the processing host, an approach pioneered by Heartland Payment Systems as a means to secure payment data from advanced threats, now widely adopted by industry payment processing companies and technology companies. The PCI Council has also specified end-to-end encryption (certified point-to-point encryption—P2PE) for various service implementations in various PCI Council Point-to-point encryption documents.
Tokenization and “classic” encryption effectively protect data if implemented properly, and an ideal security solution will use both. While similar in certain regards, tokenization and classic encryption differ in a few key aspects. Both are cryptographic data security methods and they essentially have the same function, however they do so with differing processes and have different effects on the data they are protecting.
Tokenization is a non-mathematical approach that replaces sensitive data with non-sensitive substitutes without altering the type or length of data. This is an important distinction from encryption because changes in data length and type can render information unreadable in intermediate systems such as databases. Tokenized data is secure yet it can still be processed by legacy systems which makes tokenization more flexible than classic encryption.
Another difference is that tokens require significantly less computational resources to process. With tokenization, specific data is kept fully or partially visible for processing and analytics while sensitive information is kept hidden. This allows tokenized data to be processed more quickly and reduces the strain on system resources. This can be a key advantage in systems that rely on high performance.
My old boss, Tom Rusted, had a M.Sc. in entomology, and was a black fly specialist, and who in a career as a banker, had been involved in the pioneering roll out of mbanx in 1996 for Bank of Montreal, which was the first North America-wide virtual, full-service bank.
Moneris Solutions, established in 2000, is a joint investment between RBC Royal Bank and BMO Bank of Montreal, and with more than three billion transactions a year from over 350,000 merchant locations, is Canada’s largest processor and acquirer of debit and credit card payments.
You can also follow me on Twitter at: https://twitter.com/jwbarker22