Fifth Third Processing Solutions is joining the encryption and tokenization fray, offering broad new personal data protections in a marketplace that's getting long on solutions while remaining short on standards and interoperability.
"As we look at the breach threat landscape, we believe that the end-to-end encryption and tokenization mitigates that threat entirely," says Bob Bartlett, CIO of Fifth Third Processing, which has developed a product that uses Voltage Security's technology to provide a single platform for both end-to-end encryption and tokenization, a combination it's recommending for its clients.
Fifth Third Processing-one of the five largest merchant acquirers in the U.S. with more than $315.5 billion in card sales volume annually-hopes the product will help remove sensitive card data from a payments process that starts at authorization systems and continues through to back office applications, all while lightening the security management burden for merchants.
But even given the well-publicized security threats, Fifth Third Processing potentially faces a tough merchant market. Avivah Litan, a vp and distinguished analyst at Gartner, says there's more current interest among merchants for tokenization, and less of an appetite for various kinds of end-to-end encryption solutions because of the IT upgrades involved for merchants, plus the lack of standards for encryption. (The National Institute of Standards is working on standards for formatted encryption and the American National Standards Institute is considering best practices encryption guidelines for personal information, with possible guidance out in the fall.)
Fifth Third Processing hopes to win over wary merchants by leveraging Voltage's own key management structure and format preserving encryption to reduce development responsibility for merchants while removing sensitive personal data as a transaction moves through processing.
Beyond the challenge of winning merchants, the firm also has lots of company. Its new development comes as Heartland Payment Systems begins selling its new Voltage-developed end-to-end encryption system, E3, following almost a year of tests. Other efforts include VeriFone Holding's VeriShield Protect, or format preserving technology that's installed into a payment terminal along with a decryption device that's installed at the host processor or merchant. And First Data and RSA have teamed to develop a system that uses RSA's SafeProxy tokenization technology to obtain credit card data form merchant systems and adds end-to-end encryption from the POS system to the processor while replacing the credit card data with RSA tokens.
Despite the activity of standards boards, most of these solutions can't work together. "The processors don't want there to be interoperability, there's no incentive. If there's interoperability, a merchant can move off my platform and onto your platform. And the big acquiring banks [which Forrester says are more inclined to adopt end-to-end encryption] will want their own platform that isn't interoperable with their competitors," says John Kindervag, a senior analyst at Forrester Research.
There's also the matter of business case. Brian Riley, a research director for bank cards at TowerGroup, says the average card payment fraud losses are about seven basis points yearly in the U.S.-a performance generally better than in other countries, and processors will have to prove a substantial improvement to justify the deployment. The new platforms "will have prove they're worth it. If you could get down to four basis points of losses, then converting to end-to-end might make a lot of sense."
