One concept that has been frequently mentioned this year is end-to-end encryption, which would scramble transaction data as it moves across public or private networks, making it impossible for anyone to read it without the decryption key.
Visa Inc. pointed out the merits of this idea at its Security Summit conference in March, when its chief enterprise risk officer, Ellen Richey, said the San Francisco payments company recognizes "the value of security measures that are not currently part of the PCI DSS — specifically chip technology and encryption. And we are working on an approach that would allow merchants to satisfy some of our compliance requirements through the application of chip or encryption tools."
It would be hard to find a security professional who would argue against the merits of end-to-end encryption. But the devil is in the details, and the details have yet to be worked out in a way that would satisfy retailers, processors, card brands, issuers and acquiring banks.
But in the meantime, at least three payment processors — RBS WorldPay, Electronic Payment Exchange and Heartland Payment Systems Inc. — have introduced or tested end-to-end encryption services in the past few months.
Why Encryption?
In the first few years after the PCI standards were introduced, the card brands had a laser focus on preventing merchants and processors from storing sensitive card-authentication data — the full magnetic-stripe card data. This is the primary data targeted by criminals because they can use it to make counterfeit payment cards.
Card issuers typically lose money on the first transactions conducted with counterfeit cards, since their fraud-detection systems are not tuned tightly enough to catch the fraud early on, mainly because they don't want to inconvenience legitimate cardholders. Card issuers also lose money from servicing customers whose accounts have been compromised, which often requires them to close compromised accounts and issue new cards.
As a result of substantial card issuer losses from data breaches, Visa and other enforcers of the PCI standards spent most of their time driving sensitive authentication data out of storage. They methodically went after every company that was storing such information and ensured that these fields were eliminated from the storage systems, especially since there was no business case that supported retaining it.
But if you close one door to criminals, they will soon find another door to go through, and that's what happened with cardholder data; hackers could no longer find plentiful cardholder data in storage, and were forced instead to capture the data in transit from the point of acceptance to the payment processor.
That's what the data thieves have been doing for the past 18 months, after they figured out how to plant Trojans inside corporate systems that could intercept full-track card data in transit to processors and siphon it off to criminal servers.
This type of attack was successfully used against Heartland Payment Systems, the Hannaford supermarket chain and several others retailers and processors.
These incidents have pushed the concept of end-to-end encryption to the center of the security debate.
With end-to-end encryption, sensitive card data is encrypted at the moment it enters the payment system, typically at the point-of-sale card reader, and is not decrypted until it reaches the issuer. In fact, this is exactly how PIN encryption takes place today: the PIN is encrypted at the merchant's PIN pad or at the automated teller machine, and remains encrypted until it reaches the card issuer.
Of course, several points of vulnerability have emerged in recent years enabling criminals to steal PINs along with the card data. But PIN theft is a rare exception and end-to-end encryption of PINs is generally working very well at protecting PINs from prying and unauthorized eyes.
The same should be true of end-to-end encryption of full card data — if the data is encrypted then it should be safe from intruders. Even if they get their hands on it, they won't be able to read it without the decryption key, which presumably will be safeguarded at the card issuer's site.
Where Does It End?
If end-to-end encryption is to be implemented effectively, the first end must be the card acceptance point, and the second end must be the card issuer, and not an intermediary such as a payment processor.
However, neither card issuers nor payments networks have endorsed any specific end-to-end encryption methodologies or technologies, leaving the market confused, for now.
This is especially true now that at least three processors are offering their retailer and card-accepting customers their own versions of end-to-end encryption services. But these services should technically be labeled "end-to-middle" encryption services, since the payment processor sits in the middle of the payment stream.
The encryption methods and technologies the individual payment processors use might interoperate, but more likely they will not. This means that a merchant who signs up for one of these services will find it harder to switch to another payment processor, because doing so could require, for example, upgrading or replacing card readers, point of sale applications and other legacy systems that will work with the new encryption protocol and technologies.
What Must Happen?
Before end-to-end encryption can be a fully effective and sound proposition for card acceptors, something that will prompt them to spend money upgrading their systems, several issues must be resolved.
First, the card networks, issuers, merchant acquirers, and processors will need to establish interoperable encryption standards; the industry has already begun working on these standards in the ANSI X9-F6 working group committee.
They must also ensure that merchants and card acceptors stay out of the key-management business and that the keys are kept away from the card acceptors.
Payments companies will also need to change some business processes, so that merchants are not required to hold on to card data for business purposes, such as resolving chargebacks, or preauthorization and presettlement processes.
Merchants will need incentives to upgrade their point of sale systems to support end-to-end encryption. These incentives could include offering lower fees or safe harbor from data breaches.
Finally, the PCI standards must be updated to recognize end-to-end encryption as a compensating control for many other PCI requirements
End-to-end encryption is a key technology that could help protect payment card data from criminals.
But implementing it successfully would require the cooperation and endorsement of all the key parties — merchants, processors, issuers, card networks and acquirers. It also would require a lot of hard work among all these parties to make it happen and to ensure that it does not degrade the performance of the payment networks.
For now, these initiatives are being driven mainly by the processors, which means the programs could hit a dead end unless the card networks and issuers agree to participate in a true end-to-end encryption process.
Payments technology demands interoperability across all parties handling card data, and the industry must establish standards to make this interoperability a reality.
Otherwise, the market could spend years implementing a half-baked solution (card acceptor to payment processor) that does not effectively accomplish its goal of increasing security across and throughout the payment chain.
There is also a real risk that the card networks and issuers could introduce and endorse a different security approach, such as dynamic cardholder authentication, which would lessen the need for end-to-end encryption and possibly render it more costly than beneficial.
Avivah Litan is a distinguished analyst and vice president at Gartner Inc.
