IMGCAP(1)]
This article appears in the Aug. 27, 2009, edition of ISO&Agent Weekly.
As card-security breaches continue to hamper the payments industry, the parties involved in the transaction process are combating data theft by developing technology, which has created a new buzz term in the marketplace: "end-to-end encryption."
Transaction processor Heartland Payment Systems Inc. and point-of-sale terminal vendor VeriFone Holdings Inc., for example, each recently introduced what they deem to be "end-to-end encryption" systems designed to protect cardholder data the moment a card is swiped at a POS terminal.
But where that encrypted data ultimately lands is at the heart of the debate of what the term really means.
The Payment Card Industry Security Standards Council has recognized the debate and is doing its part to set a standard definition, according to Troy Leach, technical director for the council. The council has hired Chicago-based PricewaterhouseCoopers LLP to do "global exploratory research" on several topics, including emerging technology that claims to support "end-to-end encryption."
PricewaterhouseCoopers is about halfway through the research, and Leach expects it to complete the project in early September. The council would make the results public later that month. At the moment, the one recurring theme in the research is that there are "slightly different interpretations of both the definition of what 'end-to-end encryption' really should be as well as what it can accomplish," according to Leach.
"We're drawing a line in the sand and saying, 'This how we are going to define end-to-end encryption,' at least for this project," he adds.
The card networks define the term as data encrypted from the moment a card is swiped until it is delivered to the networks or to card issuers. Princeton, N.J.-based Heartland intends to follow this definition.
However, the networks—Visa Inc., MasterCard Worldwide, American Express Co. and Discover Financial Services—do not yet accept encrypted data from Heartland, so it must decrypt the data to complete the transactions. Visa says it introduced an encryption application last year for its VisaNet switch that encrypts authorization and settlement data from merchant acquirers.
Definition Takes Time
VeriFone's VeriShield Protect system encrypts data at the point of sale and delivers it to the transaction processor or merchant acquirer. Jeff Wakefield, VeriFone vice president of marketing, says the networks' definition is a "a much bigger challenge and probably requires an industry-compatible format and standard."
VeriShield uses "format preserving encryption." Data such as card numbers are encrypted, but the numbers still appear as card data to would-be hackers.
RBS WorldPay, an Atlanta-based payment processor, two weeks ago announced it would work with VeriFone to sell VeriShield Protect to RBS WorldPay's merchant clients. Heartland is still testing its system.
Leach warns not to expect the council to make a concrete decision on a definition for end-to-end encryption any time soon. Though nothing in the core compliance requirements prevents the use of any technology that claims complete encryption, "due diligence is needed to evaluate whether it has [long-term use] and the capabilities that are being promised."
It is a security that has merit, Leach says. "But before it can become a requirement or standard, it needs to have maturity and market adoption to demonstrate that it has longevity," he says.
San Jose, Cailf.-based VeriFone believes that will happen.
"Retailers and merchants are all on board in what they are thinking about for compliance," Wakefield says.
The industry "needs to find a way to keep it that way," he says. Complete encryption is a method for merchants to "process and secure credit and debit card transactions without [the merchants] needing to think about it," Wakefield says.
The PCI council believes the PricewaterhouseCoopers report will help the industry determine how encryption will help merchants meet certain security requirements, Leach says. "It may remove the adherence to certain requirements because you are already meeting them through the use of a certain technology," he says.
Though the standards of compliance do not endorse one technology over another, from the council's perspective "we're very interested in a way we can accomplish two things at the same time, which is to reduce the risk for merchants and at the same time secure cardholder data for the consumer and everyone within the payment transaction life cycle," Leach says.
Avivah Litan, vice president at Stamford, Conn.-based the market research firm Gartner Inc., agrees with the card network's definition of "end-to-end" encryption. But since "the processors can't get the banks on board, they are doing the best they can in that sense," she says.
Litan believes a standard is necessary to help protect the merchant if it decides to switch processors. "Since there is no standard for doing this, it can lock a merchant into a processor, and I'm not sure they want to get locked in," she says.
Regardless of encryption's lasting definition, helping merchants protect cardholder data is priority, VeriFone's Wakefield says.
"One of the things that we look at is how we can protect the retailer," Wakefield says.
Payment card companies, merchant acquirers and transaction processors are "in the payments business and should be in the card-security business. They should be better qualified than a merchant to protect data," Wakefield says.
Will Hernandez is associate editor of ATM&Debit News.
