Processors and payments hardware vendors are promoting the concept of end-to-end encryption, but there is no clear definition for the security format.
The point of sale terminal vendor VeriFone Holdings Inc. is offering the technology and Heartland Payment Systems Inc. is testing it now. The basic idea is to protect payment card data starting from the moment a card is swiped, but one key issue that remains unclear is where the information is decrypted.
The Payment Card Industry Security Standards Council, which administers the PCI Data Security Standard, is trying to settle the matter by coming up with a definition for end-to-end encryption, according to Troy Leach, the council's technical director.
The council has hired PricewaterhouseCoopers LLP to study the subject. PricewaterhouseCoopers is about halfway through the research and is expected to complete the project in early September.
So far, the one recurring theme in the research is that there are "slightly different interpretations of both the definition of what end-to-end encryption really should be as well as what it can accomplish," Leach said.
"We're drawing a line in the sand and saying this is how we are going to define end-to-end encryption, at least for this project."
The card networks say that end-to-end means card data is encrypted from the time a card is swiped until it is delivered to the networks or card issuers.
Heartland, of Princeton, N.J., has said it is following this definition.
However, three of the four major card networks — MasterCard Inc., American Express Co. and Discover Financial Services — do not yet accept encrypted data, so the information must be decrypted before they can process a transaction. Visa introduced an encryption application last year.
VeriFone's VeriShield Protect system encrypts data at the point of sale and delivers it to the transaction processor or merchant acquirer.
RBS WorldPay, Royal Bank of Scotland Group's Atlanta processing unit, said this week that it would offer VeriShield Protect to its merchant clients.
Leach said the council is unlikely to make a concrete decision about end-to-end encryption anytime soon.
"It's a security that has merit," he said. "But before it can become a requirement or standard, it needs to have maturity and market adoption to demonstrate that it has longevity."
VeriFone, of San Jose, said that will eventually happen.
"Retailers and merchants are all on board in what they are thinking about for compliance," said Jeff Wakefield, VeriFone's vice president of marketing. The industry "needs to find a way to keep it that way."
End-to-end encryption is a method for merchants to "process and secure credit and debit card transactions without [the merchants] needing to think about it."
Avivah Litan, a vice president and research director at Gartner Inc., agrees with the card networks' definition of end-to-end encryption. But since "the processors can't get the banks on board, they are doing the best they can."
Litan said the industry needs a single definition, to protect merchants that want to switch processors.
"Since there is no standard for doing this, so it can lock a merchant into a processor, and I'm not sure they want to get locked in."
Regardless of how end-to-end encryption is defined, helping merchants protect cardholder data is priority, Wakefield said.
"One of the things that we look at is how we can protect the retailer," he said. Payment card companies, merchant acquirers and transaction processors are "in the payments business and should be in the card security business. They should be better qualified than a merchant to protect data."
Corrected September 8, 2009 at 10:12AM: An earlier version of this story was mistaken in saying that Visa Inc. cannot accept encrypted transaction data. Visa introduced an encryption application last year.