Commidea (UK) launches Ocius Sentinel for Encryption/Tokenization

Ocius Sentinel resides on the Pin Entry Device (PED), within a secure PCI PED and PIN Transaction Security (PTS) environment. Sensitive cardholder data is encrypted using 128 bit 3DES and then further protected by encrypting those results with 2048 bit RSA encryption. The solution benefits from the combined strength of transaction-specific symmetric key encryption and asymmetric key algorithms.

As encryption takes place on the PED, unencrypted data is never seen on the merchant’s Point of Sale equipment and associated network. Ocius Sentinel quickly and securely transmits the encrypted cardholder data directly from the PIN pad, via the Electronic Point of Sale (EPOS) system, across the merchant's network and into Commidea's secure PCI DSS processing infrastructure for onward transmission and authorisation by the Acquirer.

Ocius Sentinel addresses the threat of both cyber and physical attacks through a wide range of additional functionality including:

• A sophisticated PIN Entry Device (PED) asset management system which challenges and authenticates the PED serial number, rendering any unidentifiable device unusable.
• A mutual authentication system ensuring that data passed to and from the merchant implementation always connects to genuine authorisation servers.
• Tracking of PEDs to monitor any abnormal behaviour via Commidea's web-based Management Information System.

“Commidea's implementation of robust cryptographic technologies in the Ocius Sentinel solution provides a clear and much needed advancement in secure payment processing,” said Andrew Bontoft, Technical Director, Foregenix Ltd. “Offering strong encryption directly from the hand-held PED through to the processor’s backend network removes the possibility of the account data being intercepted between these two points, significantly reducing the risk of data compromise.”

As sensitive cardholder data is effectively removed from the merchant's system, Ocius Sentinel significantly reduces the cost and burden of achieving and maintaining Payment Card Industry Data Security Standard (PCI DSS) compliance. Furthermore, as it is delivered as part of a comprehensive managed service, a retailer does not have to invest in any additional software or hardware and the headache of key management is completely removed.

“A unique feature of our solution is that data can remain encrypted all the way through to the merchant’s acquiring bank - the merchant has no ability to decrypt this so it is a true end-to-end solution,” explained Marc White, Commidea’s Head of Security and Compliance. “Importantly, Commidea’s engineering of the solution has ensured that there is no degradation in the authorisation response time. It still only takes a couple of seconds to process card payments.”

“Many retailers are having to focus their sights on PCI DSS compliance while wishing that they could invest their time, energy and technology spend on more customer centric activities,” said Simon Wilding, Managing Director, Commidea, “By implementing Ocius Sentinel retailers can do exactly that, knowing that they have truly safeguarded their customers’ data and stretched far beyond ‘tick the box’ compliance.”

Commidea’s customers will continue to have access to a wide range of value added services, such as card holder preferred currency, tax free shopping, mobile top-ups and voucher schemes.