GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

The ACH, staking new channel claims

News

Industry Update

Tepid summer for many Gulf Coast merchants

Can the IRS legally attach levies to ISO reserve accounts?

Trade Association News

Features

GS Advisory Board:
Merchant retention, taking the initiative - Part 2

Selling Prepaid

Prepaid in brief

Dynamics of the youth card market

Gift cards: Value multiplier for merchants

Thom Aldredge
World Gift Card

Views

Securing a place for electronic payments

Patti Murphy
The Takoma Group

The allure of end-to-end encryption

Scott Henry
VeriFone Inc.

Uncle Sam might want to pin worker misclassification on you

Sarah Weston
Jaffe, Raitt, Heuer & Weiss PC

Education

Street SmartsSM:
Who will benefit when the Durbin Amendment dust settles?

Ken Musante
Eureka Payments LLC

The importance of PCI DSS compliance

Nicholas Cucci
Network Merchants Inc.

Is there any such thing as loyalty?

Nancy Drexler
SignaPay Ltd.

Need intelligence? Tap the feet on the street

Dale S. Laszig
Castles Technology Co. Ltd.

Succeeding at PCI compliance - Part 3: Implementing the rollout

Dawn M. Martinez
First Data Corp.

Global acquiring and fraud Q&A

Caroline Hometh
Payvision

Company Profile

Netcom PaySystem

New Products

RDC on the fly

QwikDeposit To Go
Bluepoint Solutions

Multipayment and multimedia at the POS

iSC350
Ingenico

Inspiration

Nothing fancy needed

Departments

10 Years ago in
The Green Sheet

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

July 26, 2010  •  Issue 10:07:02

previous next

The allure of end-to-end encryption

By Scott Henry

Scope reduction" should be a magical phrase to merchants, acquirers and ISOs because it refers to reducing the applicability of Payment Card Industry (PCI) Data Security Standard (DSS) controls. PCI compliance is no small matter, nor is it inexpensive. The larger an organization, the more costly the effort to ensure compliance, but smaller organizations may have to devote comparatively larger proportions of their resources than more sophisticated outfits.

So, large or small, compliance is a big issue that many organizations want to reduce. Any step to limit the scope of that compliance is welcome. That's why end-to-end encryption (E2EE) is now one of the most talked-about concepts in the payments industry. And consensus is growing that E2EE is a vital step not only in containing the costs of compliance, but also in making card data much more secure.

An initial goal of the Secure POS Vendor Alliance was "to create an industry encryption framework ... to adequately secure cardholder information before it enters the application environment."

In 2009, Visa Inc. published industry best practices for E2EE. Even the PCI Security Standards Council (PCI SSC) is developing guidance on how E2EE (which it prefers to term "point-to-point encryption") will satisfy certain PCI requirements.

What's the buzz?

Retailer environments are too complex to completely and constantly lock down against all intruders. Encrypting cardholder data from end-to-end may be the only way to meet current security requirements.

The potential liability associated with cardholder data breaches is daunting. The per-record cost estimates for a security breach range from around $100 to several hundred dollars, so a breach could easily result in costs in the millions of dollars. Unfortunately, the number of attempted and successful data breaches is increasing, even among retailers that meet PCI DSS compliance requirements and audits.

End-to-end encryption entails encrypting cardholder information on acceptance inside a secure, trusted device and keeping it encrypted throughout an organization, ideally all the way to the acquirer or processor.

Retailers aren't in the business of security or payment technology; they must focus on understanding customer needs and delivering the right goods at the right time and place. PCI requirements were on a two-year update cycle, so by the time a retailer got up to speed, it was time to learn the next set of requirements. The PCI SSC recently extended the cycle to three years, but even so, merchants need significant guidance from ISOs and merchant level salespeople to understand the compliance process.

Technology soup

A variety of encryption techniques have been proposed for the retail industry. All offer strengths but also have limitations that make them less than complete:

Putting E2EE to the test

VeriFone favors a total systems sol-ution approach that encompasses the following:

An independent assessor, Coalfire Systems Inc., recently completed a review of this approach and came to some compelling conclusions regarding E2EE: "As most of the DSS controls are designed to manage risk to card data from specific threat scenarios, it is therefore possible to reduce their applicability by securing the card data in the merchant environment, so that the threat scenarios are no longer a viable risk.

"By strongly encrypting card data at the point of capture in a secure and restricted device, where no ability to decrypt the card data exists, you can effectively 'isolate' the majority of the merchant's environment from scope. If specific deployment scenarios are adhered to, the merchant environment can be treated as an untrusted environment similar to a public network when using strong transmission encryption."

Coalfire stressed that PCI compliance scope reduction cannot remove the need for PCI compliance and does not eliminate merchants' responsibility to validate compliance to their acquirers, but Coalfire noted that scope reduction has big benefits: "PCI compliance scope reduction's biggest payoff for merchants is the opportunity to eliminate the cost of PCI control deployment for the sole purpose of meeting compliance obligations. The second major benefit is the reduction of cost and effort to validate PCI compliance of the merchant environment."

No doubt you'll be hearing more and more about E2EE. It's important to know how different vendors and service providers implement this technology.

Scott Henry is Director, North America Product Marketing, for VeriFone Inc. He can be reached at scott_henry@verifone.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio | Board Studios, Inc.