Acquiring and POS management

VODAT INTERNATIONAL - An NCR case study

Vodat International builds managed payment service for retail customers using Authentic from NCR

The customer

For more than 14 years, Vodat International has been helping the UK’s retail sector to stay connected with its comprehensive range of data and voice network solutions, and value-added services. The company has installed, and now supports, private managed networks and related services in more than 80 mid-scale high-street retail chains, with typically between 10 and 1,000 stores. It serves more than 7,800 individual retail sites and supports over 22,000 devices. As a result, it is a leading provider of telecoms solutions and private managed networks to the UK retail and leisure markets.

The challenge

As a leading supplier of network solutions to retailers, Vodat provides the underlying technology and security solutions that enable retailers to transmit card payment data to their acquirers. The company gained Payment Card Industry Data Security Standards (PCI DSS) certification in 2007, and offers a number of network security solutions that enable its clients to remain compliant with PCI DSS standards for handling sensitive cardholder data.

After years of working closely with retailers on their voice and data networks, Vodat recognized an opportunity in the market for a new managed payment service.

Ian Martin, head of payment services at Vodat explains: “Retailers were often struggling with two important issues: speed and compliance. On one hand, many retailers still depend on old‑fashioned dial-up connectivity from the shop to the  acquirer. For a shop’s customers used to high-speed broadband connections in every other aspect of their lives, this can be painfully slow. On the other, many retailers struggle with meeting PCI-DSS requirements—particularly in our target market where retailers don’t necessarily have the resources to throw at big technology implementations and support.”

The company was well placed to develop its managed payment service based on the three Cs: connectivity, card processing and compliance. Leveraging its own expertise in connectivity and compliance, Vodat developed its Unified Payment Service, designed to decrease retailers’ costs while increasing data transmission speeds and enabling retailers to take advantage of Vodat’s own PCI-SS compliant processes and infrastructure. 

However, the system needed card processing capabilities as the third component. Having built a reputation on offering its clients a best-ofbreed service, Vodat looked to specialist providers for a payment processing platform that had all the necessary criteria to fit its managed service: reliability, scalability and security. Specifically, Vodat was looking for a payment system that could handle authorization requests and response messages for card transactions acquired on payment devices in the retailer’s merchant locations, transmit them to acquirers, and provide a sub two-second response.

The Solution

After looking at a number of potential solutions, Martin and his team selected Authentic, the intelligent transaction processing platform from NCR.

Authentic is a generalized payment platform that can be used as a consumer payment services hub, payment gateway or device driving application, in addition to conventional card-related switching and authorization. As an Open Development platform it can handle any type of transaction, from any device, source, or system and map them into different formats. It also authorizes and authenticates payments, and routes them on to any destination.

“We considered various options, including white labelling, but when we were introduced to Authentic we saw an opportunity to use a leading-edge product that would give our small to medium sized retail clients the same level offunctionality that is normally only seen at the really big retail chains.”

– Ian Martin, Head of Payment Services Vodat International

He continues, “A managed service inevitably places great demands on any solution. It has to be extremely robust—and in this case able to handle very high and unpredictable volumes of traffic so that we can meet our service level agreements (SLAs) at all times. It also has to be extremely scalable. As we add new customers, we need them to be able to implement the system with minimal delay. It also has to be flexible to match the demands of a diverse range of customers. Authentic’s strong credentials in the banking sector meant we were confident it could do all this and enable us to introduce a similarly high level of service to retailers.”

Security, redundancy and compliance

With all the components in place, Vodat was able to develop its Unified Payment Service for retailers. The service is managed by Vodat and delivered over its secure, resilient network. Retailers access the service through a simple and secure interface installed on their point of sale (POS) solution that handles all card payment requests.

Each retailer is fitted out with IP-based Chip and PIN Entry Devices (PEDs) and a firewall managed by Vodat. A request to take a card payment is initiated on the POS and sent to the Vodat data centre from where the PED is asked to accept a payment card and validate the cardholder. The cardholder details are passed immediately to the data centre for processing by Authentic. Once Authentic has authorized the payment and confirmed the result of the transaction, the Vodat Unified Payment Service sends back sufficient masked card data to produce a receipt.

The Unified Payment Service uses network segmentation and strong encryption to ensure that cardholder data is only ever processed, transmitted and stored in PCI DSS compliant systems. All communications between a POS and its PED are through the Vodat secure data centres. The firewall isolates the PEDs from the retailer’s other store systems and strong encryption is used for all communications between the PED and the Vodat data centres. The POS and the PED are never connected so they cannot communicate directly. The architecture of the solution reduces the scope of card processing in store to the PED and, as a consequence, addresses all but two of the twelve requirements of PCI DSS for the retailer. Vodat is able to pre-complete most of the PCI DSS Self Assessment Questionnaire (SAQ) on behalf of the retailer.

The system has built-in redundancy and failover through the establishment of a mirror data centre. In addition, all the components within the system, including Authentic and Vodat’s proprietary software, can communicate with each other. If one element fails, then the remaining components simply re-route communications and carry on functioning. 

Solution Benefits

The Unified Payment Service has been successfully implemented by customers with 70 to 750 payment devices demonstrating the capability of the solution to handle retailers of different sizes. At peak trading for one award-winning deployment, the system handled 1.2 million transactions per month. It enabled Vodat’s client to significantly reduce customer waiting times and increase the number of customers it is able to serve in a day. The inbuilt security standards also help assure staff that customer data receives the utmost protection.

The Unified Payment Service also offers a significant breakthrough in the ongoing challenge of securing cardholder data.

As Martin points out, “The Unified Payments Service is an elegant solution to what is becoming a major headache for small and medium-size retailers. It is fully validated, it avoids the pitfalls and difficulties associated with Point-to-Point Encryption (P2PE), and thanks in part to Authentic’s flexibility it is suitable for most customer-present environments. Because we’re doing the heavy lifting in terms of infrastructure and security management, our clients can focus on developing their business and meeting their customer demands.”

Vodat also believes that the Unified Payments Service creates a significant business opportunity and with it a valuable additional revenue stream.

“This is a natural extension of our long-standing business model. Our strengths in managed networks and telecoms plus our focus on the retail and hospitality sectors reassures customers. They can be confident that they will receive the speed and security they need from a payment service that is delivered over a network. It adds a second string to our bow and gives retailers another reason to come to us and explore how the services we offer can help them build their business.”

– Ian Martin, Head of Payment Services Vodat International

Key features

• Market: Small to medium-sized retailers in the UK
• Challenge: To provide the flexibility, speed, scalability and security in payment processing demanded by a managed service
• Solution: The Authentic payment platform from NCR
• Results: An award-winning payment service that enables retailers to speed up payment processing and ensures trouble-free PCI-DSS compliance