End-to-End Encryption: Securing Cardholder Data
Despite the best efforts of the card industry, data breaches continue to affect retailers and processors that are compliant with the Payment Card Industry Data Security Standard. But many believe end-to-end encryption (E2EE), could hold the key to protecting sensitive cardholder data. Freelance journalist Linda Punch investigates.
With currently available end-to-end encryption approaches, data is encrypted from the merchant’s point of sale until it reaches the processor or acquiring bank. The processor then decrypts the information and sends it via secure lines to the card networks.
Under most solutions, with the exception of the first six digits (the issuer identification numbers) or the last four digits of the primary account number, cardholder data is never in clear text form on any merchant systems outside the secure encrypting terminal. Thus, even if a cybercriminal steals the data from a merchant’s network environment, he will be unable to use or sell it.
For merchants using a proper E2EE solution, the scope of PCI compliance could be reduced by 75% and annual compliance maintenance costs by 80%, according to a 2009 Mercator Advisory Group report. That’s because much of the compliance burden shifts from the merchant to the E2EE technology provider.
There are good signs that end-to-end encryption is here to stay. The industry is taking steps to establish interoperable encryption standards through the American National Standards Institute’s (ANSI’s) X9.F6 working group committee. And it is believed that the next version of the PCI DSS, scheduled for release in October, could address E2EE. The PCI Standards Security Council in the spring will release its recommendations, while a PriceWaterhouseCoopers report on E2EE and two other security technologies - Chip-and-PIN and tokenization - was released in 2009.
“While many believe implementing E2EE is a challenge, there are many leading retailers who are already seeking the benefits”, says Travis Lee, TNS’ Product Marketing Director, Americas.
“TNS is helping here by offering solutions inside of our TNS Secure Payments Network that can offer the flexibility to reach multiple processors, making it possible for merchants to transport E2EE data to one or multiple processing partners.
“We also provide processors with an alternative to deploying decryption solutions inside of their host processing environments, allowing them to meet their merchant’s needs without having to start a costly project internally to install the
required infrastructure.”
George Peabody, principal advisor for Mercator comments, “For E2EE to be adopted system wide, the card brands must mandate it for all merchants or give them an interchange incentive to adopt it. The card networks have made few comments on E2EE although a Visa information security specialist last year said that while end-to-end encryption is a very valuable tool, it is
not a silver bullet.”
Meanwhile, interest in E2EE continues to grow as merchants and the industry look for ways to protect confidential information from cyber hackers globally. By reducing compliance costs for merchants, removing card holder data from its payments environment and increasing brand protection, consumer confidence will inevitably enhance the future adoption of end-to-end encryption.
