Heartland Payment System's CEO Bob Carr has become the payment industry's most vocal security evangelist, on the speakers' circuit predicting that 2010 will be the year that the payments chain becomes significantly more secure. "I believe the world is going to be changed in the next year with deployed technology," Carr says. "We're going to see the security of the payments industry become markedly better in the next few years."
Carr may eventually deserve the credit as catalyst for this change, but lots of players have jumped on the bandwagon. To start, two of the major card brands have created technical specifications that will allow Heartland, and presumably other payments processors, to deliver encrypted transactions to the card brand's systems. The inability of the brands to accept encrypted data was the last mile in most end-to-end encryption schemes. And this is where the peer pressure theory comes in: when the first two brands (one widely believed to be Visa) go public with their ability to accept encrypted data, the others will be compelled to follow. Similarly, Heartland's vocal pitching of its E3 encryption product is undoubtedly putting pressure on its competitors. Rival First Data has already stepped up, announcing a partnership with RSA to combine encryption with tokenization; smaller players like Element, EPX, and a variety of POS and encryption vendors have offerings.
The second drumbeat in favor of increased security is coming from the PCI Council. Over the summer the group contracted PricewaterhouseCoopers to study which technologies are being effectively used to improve security; the final report wasn't ready as of late October, but at the Council's September community meeting encryption and tokenization were held aloft as two that hold promise. The Council will evaluate this report in preparation for the planned October 2010 release of updated PCI DSS and PA DSS standards. And though they're evaluating specific technologies, the Council likely won't move to a proscriptive model. "We try to remain as tech agnostic within the standard to allow for technology evolution as well as changes in the fraud ecosystem," says Troy Leach, CTO of the Council.
Also working on the issue is the ANSI X9F6 working group, with Visa chairing the committee working to establish industry encryption standards.
But there are still public relations battles. Carr mentions with disdain vendors that want to charge merchants additional fees for the encryption services; First Data says it thinks the encryption technology should command a higher price point. And Visa touted in its recently issued "Global Industry Best Practices for Data Field Encryption" document that it already accepts encrypted data from some acquirers, third-party processors and merchants, neglecting to mention that few parties are able to take advantage of this capability because of the proprietary nature of the tech specifications. There is one tasty bit of irony in this, highlighted by Carr's vocal stance on the industry's responsibility to raise its own standards in protecting the payments chain from the point of sale all the way through the acquiring bank and the card brand: Heartland's breach was caused by malware placed on its internal network, all the POS and merchant security in the world wouldn't have prevented its data breach.