IMGCAP(1)]
Encryption of cardholder data from the point-of-sale terminal to the authorization network of the processor could benefit merchants by reducing the scope and cost of their compliance with the Payment Card Industry Data Security Standard, according to a recent report from Mercator Advisory Group, a Maynard, Mass.-based consulting firm. With encryption from the point of sale to the processor, merchants do not store or transmit unencrypted cardholder data over their networks or systems, according to the report "End to End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance." By completely encrypting cardholder data, a merchant already has addressed certain PCI requirements, including protecting cardholder data (Requirement 3), encrypting cardholder data across public networks (Requirement 4) and restricting physical access to data (Requirement 7), states the report. The challenge for proponents of complete encryption, such as processor Heartland Payment Systems Inc., will be to convince merchants to purchase updated terminals that encrypt cardholder data when the consumer swipes a payment card. Report author George Peabody, a Mercator principal analyst, estimates POS terminal-replacement costs across all merchant tiers in the United States at $4.8 billion. Princeton, N.J.-based Heartland this week completed the first test of a complete encryption system designed to protect the cardholder data it handles from hackers (CardLine, 7/1).
