LTP recently had the opportunity to interview Jose Diaz, Director, Payment Strategy and Peter Galvin, Chief Marketing Officer, Mobile, Cloud & Security Technologies at Thales e-Security at Money 20/20 2015. Thales e-Security is a global provider of data protection solutions with more than 40 years’ experience in securing the world’s most sensitive information.
LTP: Tell me something about Thales e-Security in the payments security space. What are the things you are doing as a company?
Jose Diaz: Thales e-Security provides hardware security modules (HSM). So any acquirers, i.e., processing, PIN transactions in the acquiring industry, they use our HSM for secure cryptographic processing, key protection and key management. We also work on the issuing space where our HSMs are also used to prepare data for EMV cards as well as prepare data that would go into mobile payment applications. Our hardware security modules (HSMs) provide enhanced data protection and threat prevention for mobile, cloud and Web applications. So we work both in the issuing and acquiring spaces. From a crypto perspective, we have partnered with a number of companies that actually have the application to do that. We bring in the security and HSMs, so that their application can be compiled with PCI or any of the card scheme rules.
LTP: On the hardware side, there are so many specifications and you can almost write and create anything according to those. However, on the mobile payment side, there is nothing like that. So the challenges there are pretty much high. It must be a very interesting problem to solve, right?
Jose: It is. When it comes to data itself, it is very EMV-like. EMV codes define interoperability; same with the card-schemes. From the provisioning side, the global platform is the method that everybody have been utilizing for how to securely get that data into the phones.
LTP: Are you talking about only NFC-based mobile payments or any mobile payments?
Jose: When we started dealing with other types of mobile payment, we usually tried to focus on the secure element or HCE-based, the card scheme-based or the standard issuer-based. Because, to your point, when you start talking about mobile payments, you start talking about person-to-person payments; you start talking about all lot of those schemes. You are right that there is no standard. We have worked on some of those applications, but they're all very individual projects. There hasn’t been any sort of methodology or standard in order to do that. In that perspective, it is only Apple Pay and Samsung Pay that have standards.
LTP: We come across companies like Sequent, Bell ID, SimplyTapp who do HCE. Can you describe how the value chain works? Where do you add value and where do these guys come?
Jose: That’s a perfect question; take Bell ID as an example. Bell ID has an application that helps you in generating and provisioning all the data for mobile devices and also creates the token that you need before actually provisioning the data. But Bell ID uses our hardware security modules (HSMs) in the generation, storage and distribution of keys and sensitive data for maximum protection. They are one of our technology partners. We provide the security and they provide the application to make it happen.
It is the same thing with most of those companies. Some of those companies deal with protecting data or a different method of accepting payments. In those cases, those traditional applications have their way of encrypting the data at the POS. So in those cases, we are more of interoperability partners. They have their own standalone solution and we are at the other end of it. We take what they create and then we put it back in the clear, so that the acquirer can process it.
LTP: How you got into HSM & payments?
Peter Galvin: Thales is a big French conglomerate that focuses on a number of different areas. One of the areas is security. So they provide communication and secured communication for many large industries. A few years, ago we acquired nCipher a leading supplier of encryption products for organizations that need to protect sensitive data. Post that we acquired two HSMs. One specifically focused on payments (application-specific) and the second, a general purpose HSM. That is how Thales e-Security got involved. We have grown because the data protection problem is such a big problem. When you talk about issues around protecting data, the credit card industry has a very firm PCI scheme to protect the transactions and data. All these new industries like automotive, e-commerce and enterprises—they need to have a more assured way in maintaining data without a data bridge. Even if you were to actually access the data, it is encrypted. If you don’t have access to the key, then the data is of no use to you.
This is where we have made our presence by our recent acquisition of Vormetric. Vormetric’s data security solutions expand our offering in transparent encryption, application encryption, tokenization and data masking, complementing our market-leading key management host security modules and provide a strong position for the protection of sensitive data in physical, virtual and cloud infrastructures. The acquisition has given us a broader capability.
Jose: It is a lot of different businesses all under the same name. A lot of it deals with projects business, not products per se. We are mostly product business within the group selling products and solutions.
LTP: Do you sell your HSM worldwide?
Peter Galvin: Yeah. One of the interesting applications for our HSM, for example, is manufacturers in places like China and India. If you think of phone or conferencing system which has a software, now you can use our system; it prevents fraud from happening. HSMs are used in manufacturing processes to ensure that there is no fraud in that process.
LTP: When you come to Money 20/20, which is that segment you want to meet?
Jose: Our application security product line is certainly the leader in the company. That is because our product provides crypto, to protect keys & secure things. But that product can be utilized to control the handset manufacturer to make legitimate products or it can be used for access control or by a lot of companies in data protection. But I think when we look at the use cases, it is all about protecting information; it is about protecting data. So it is kind of hard to tell because it is all about protecting data, whether that is payment data or the data that is in your phone. When we look at different market segments, it is all about protecting data in different segments. Payments are huge but a lot of the enterprise when they deal with public key infrastructure or data protection, it's also another very large market.
LTP: Who are your customers? Can you discuss a little bit about the implementation?
Jose: If we look at card schemes, large processors, etc., they all need our solutions in order to protect transaction data because they are all involved in the payments system. Some of the customers also use our solution to protect their customer data. For, ex: if it is a bank issuer, the bank needs to protect your personal data. So they need our solution/products to protect that information.
When you look at customer base—particularly around payments—it's all the card schemes, all the payments processor and also all the issuers. Although, a lot of time the issuer will outsource some of the services to companies like First Data. So those are customers as well who we serve multiple clients.