The Green Sheet Online Edition
February 09, 2015 • Issue 15:02:01
Encryption - the secure payment adoption challenge
Derived from the Greek words kryptos (hidden) and graphein (writing), cryptography in its earliest form relied upon complex pictograms to communicate messages to literate onlookers. Over the millennia cryptography has evolved from ancient Egyptian hieroglyphs and Spartan military ciphers to the algorithms that digitally encrypt data today.
A consistent trigger for advancement in this field has been the protection of state and military secrets. During his reign from 46 B.C. to 44 B.C., Julius Caesar employed a substitution cipher that replaced characters in the Roman alphabet in messages delivered to government officials. Leading up to World War II, Germany devised a series of cipher machines, collectively referred to as the Enigma, that allied forces were eventually able to decrypt.
More recently in the United States, the National Bureau of Standards, which later became the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce Technology Administration, selected the Data Encryption Standard (DES) as the official Federal Information Processing Standard in 1977. The timing of DES coincided with the advent of personal computers as IBM, Apple, Commodore and Atari entered the field.
Engineered by IBM researchers, the DES algorithm was designed to encrypt clear text data into 64-bit data blocks using a 56-bit key and then decrypt the data in inverse order by applying the same methodology. To better understand what this means, Verifone Inc. Vice President of Product Security Robert McMillon described modern era encryption at its most basic as the application of a mathematical formula to a piece of data to obfuscate that data.
"It's still the real data, but it is hidden through math," he explained. "It's a combination of a mathematical algorithm and a key or a secret that is used to create the hidden data. And the only way to get it back is to apply that same mathematical formula with the same [or related] secret to decrypt it." Keys can either be symmetric, meaning the same secret is shared at both ends, or asymmetric, where a public key backed by an authentication certificate and private key are used.
DES may have initially been secure enough for commercial and unclassified government data, but over time, the expansion of computational power made it vulnerable to brute force attacks. DES was withdrawn from government use in 2005. Next came Triple DES (TDES), which effectively tripled the key length using three 56-bit keys and was far more difficult for hackers to penetrate. TDES is still in use today for Primary Account Number (PAN) encryption and other financial applications.
NIST later approved another standard widely used in the financial sector. The Rijindael data encryption formula, submitted as part of a global competition by two Belgian cryptographers, was adopted as the official Advanced Encryption Standard (AES) in 2001. AES supports key sizes of 128, 192 and 256 bits, which means that for a 128-bit key size there are 340 undecillion (340 followed by 36 zeros) possible keys.
On Jan. 23, 2015, NIST, in cooperation with 21 stakeholders, issued a revised draft of the NIST Cryptographic Standards and Guidelines, to ensure greater transparency in developing cryptographic standards in the future. This followed allegations that surfaced in 2014 that the National Security Agency may have tampered with a random bit generator that circumvented encryption. At this point, TDES and AES form the basis for a number of payments industry encryption systems in place today.
Data protection top priority
Momentum has been building within payments industry and standards groups to adopt more stringent data protection strategies and policies to reduce fraud, including card fraud, which EMV (Europay, MasterCard, and Visa) chip-card implementation is expected to ameliorate.
"I divide that pretty cleanly into point-to-point-encryption [P2PE], which is really about protecting that card data from the point-of-sale until it reaches a trusted host, which basically removes the card information from all that intermediate software that can be penetrated and lead to a Target-like situation," said Terence Spies, Chief Technology Officer at Voltage Security Inc.
P2PE essentially takes the track data or a manually entered PIN and encrypts the relevant parts, leaving enough information in the clear to print receipts and perform routing decisions. Voltage was an early developer of format preserving encryption (FPE), credited for being easier to integrate with legacy systems. "FPE is a mode that enables us to take AES and turn AES into a cipher that will encrypt a relatively small amount of data, but still retain that security," Spies said.
The second strategy he mentioned is tokenization, which generates PAN surrogates that can either be stored or used in a limited card payment context. Apple Pay adopted tokenization as one of its strategies, and the banking system has begun to embrace it as well.
"The Federal Reserve is starting to get behind tokenization as a more global strategy for removing risk by taking PAN out of systems where they're stored," Spies said. "The big impact of data breaches is that rather than just stealing one card, you can break into a back-end repository and end up with 10 million or 100 million cards, because you've stolen from a database where those PANs are being held for transaction analysis, fraud, loyalty and other things like that."
Experts estimate that less than 25 percent of Tier 1 merchants use either P2PE or tokenization today. "I would say that in the smaller merchant space, you're talking in the 10 to 12 percent range," Verifone's McMillon noted. "Nobody wants to be Target or Home Depot. We know these technologies prevent that from happening, and yet the adoption rate is anemic."
Perhaps one of the biggest challenges is that P2PE and tokenization are not yet mandated, and until such time, adoption rates could remain unacceptably low. "The vast majority of merchants that are out there handling cards are not using it, meaning they have card data that's in the clear, and that's, in part, made it a lot easier for people to steal card information from these merchants," said Greg Rosenberg, Security Engineer at Trustwave and a member of the PCI Security Standards Council's P2PE task force.
Looking ahead at both technologies, Spies believes that in the future dynamic tokenization will become more widespread in e-commerce; newer terminals will be equipped with built-in FPE and P2PE technologies; merchants and processors will adopt tokenization to remove PANs from large storage databases; and based on the Apple Pay model, there will be greater acceptance of public key cryptography in mobile payments.
P2PE gets PCI facelift
The PCI SSC has also been a strong advocate for P2PE. When the council first introduced a formal set of validation requirements for a new P2PE program in September 2011, the document was a bulky 300 pages, and validation applied to hardware-to-hardware solutions only. Hybrid solutions involving software within hardware were added later.
To date, just seven solutions have met all the criteria for validation. These include submittals from Verifone, Ingenico Group, Bluefin Payment Systems, FreedomPay Inc., The Logic Group Enterprises Ltd. and European Payment Services Ltd.
But all of that is about to change with the impending release of P2PE version two. The request for comment period ended on Jan. 20, 2015, and feedback has been positive. The PCI SSC said the new version will incorporate measures that speed the validation process and allow more entities to participate. For starters, the document will shed about a third of its page girth, and there will be more categories (see sidebar accompanying this article) that qualify for validation.
"We've eliminated hardware to hardware, and hardware to hybrid, and simplified that," said Troy Leach, PCI SSC Chief Technology Officer. "What we've learned over the course of several years is that there are scenarios where you would have a service provider that is only responsible for decrypting cardholder information, so we now have a listing for them as well."
Under the new format, individual organizations can be listed and validated independently. According to Leach, third parties will be able to apply one assessment to multiple validated solutions, as opposed to having an assessment for each service provider as is the current practice.
The new version also adheres more closely to the cryptographic principles of the American National Standards Institute (ANSI) and the International Organization for Standardization (ISO), as well as the existing PIN standard. "We have a standard for the cryptographic protection of PIN when used for debit transactions," Leach noted. "We made sure that we aligned more closely to that standard so that there is more consistency in the requirements."
P2PE providers push forward
Bluefin was one of the first companies to receive P2PE validation for its PayConex integrated gateway, nonintegrated Decryptix model and QuickSwipe mobile payment platform. The company welcomes the changes in the new version and the opportunity to partner on more solutions to save on costs.
"No one could spell P2PE, and most didn't know what this was all about," said Ruston Miles, founder and Chief Innovation Officer at Bluefin. "In RFPs that I see now, the number one requirement is you have to have P2PE and you have to be validated. It's catching on."
Verifone, too, was ahead of the curve when it validated its PAYware Ocius payments-as-a-service platform in Europe. "On our U.K. gateway we are P2PE certified from our devices, which are also the hardware performing the encryption back to our service provider gateway," McMillon said.
But in the U.S. market, where millions of dollars were already invested in encryption systems prior to the availability of P2PE validation, becoming P2PE validated in the initial round has been slow to take off. The overall consensus was that systems were sufficient under guidelines set forth by other global standards organizations.
"We're in eight of the 10 top acquirers in the U.S. as an encryption partner from our hardware to decryption inside of the acquiring platform," McMillon said. "And none of those acquirers sought out P2PE validation in the first pass." He expects that will change when version two becomes available, since more customers are asking for certification from their service providers.
A compelling benefit of P2PE validated solutions for merchants is the drastically shortened self-assessment questionnaire that comes with it. The SAQ P2PE-HW has only about 10 percent of the questions contained in SAQ D, which is common for most merchants without P2PE validation. This saves time and resources in the end.
Pathways to data protection
As a defense against data breaches, the record for P2PE-validated solutions speaks for itself. "Nobody who is using P2PE has had, to date, a breach of their system what was within the P2PE component," McMillon said. "There have been some folks, for example, who might have been using encryption on the back-end store controller, between the store controller and their acquirer, and they got a breach on their internal network."
Unfortunately, not everyone who has the technology is taking advantage of it. "Most of the devices that these retailers are purchasing or installing have the technology already inside of them to implement P2PE," Miles said, adding that in one of the high profile national data breaches, the retailer had P2PE in every device, but did not have it turned on.
Whether costs or implementation are to blame, providers and merchants can no longer afford to sit idly by. EMV will be here soon enough. When the first big data breach strikes following the October 2015 liability shift, the credibility of an entire ecosystem could be at stake.
"What we've been publicly encouraging for a couple of years now is that as merchants are looking at upgrading their systems to accept chip cards, take that opportunity to look farther into the future and future-proof your devices so that you are accounting for P2PE, tokenization and other security mechanisms, so that we're not just protecting against the threats today, but we’re future proofing against the threats of tomorrow," Leach said.
But until P2PE becomes mandatory, complacency could prove costly. "There is this siloing effect that you see with merchants kind of running towards some P2PE, especially the nonvalidated solutions, when they're only in this compliance mindset," Trustwave's Rosenberg said. "There is peril there because the market, as we're seeing now for different extensive information, is very dynamic."
Rosenberg recommends in the interim, especially for the nonvalidated solutions, to have a Qualified Security Assessor evaluate the solution before deployment to determine whether it provides the benefits advertised, especially for merchants who have on-site audits anyway.
His second suggestion is to ask prospective vendors if they are in the process of formally validating a solution under the P2PE standard itself. If not, ask why. For those that are in the validation process, find out the expected date of completion and the name of their P2P QSA as proof that they're actually doing it.
What's in the crystal ball?
While it’s impossible to predict the future, one thing is certain. Innovation will continue to guide us to unimaginable frontiers as an industry. Some see the future now and are exploiting it. Others look at the possibilities in current technology in terms of the untapped market potential.
Verifone, an example of the former, has taken a seize-the-future-now approach with the launch of its Secure Commerce Architecture (SCA) solution, which aims to enhance security beyond P2PE. By rerouting payment flow, SCA eliminates the potential risk of malware intercepting data on a compromised merchant PC. First Data Corp. and Vantiv have thrown their support behind SCA as part of their infrastructures.
"In an SCA transaction, what happens is the PC-based POS runs up the sale and then says to a Verifone terminal, 'I need to run a transaction,'" McMillon explained. "The Verifone terminal captures the card data, encrypts the card data, then it formats the payment message itself and sends it out to the acquirer. It doesn't send it back to the PC-based POS. It communicates directly to the acquirer."
Looking at the market’s untapped potential, another strategy involves taking block chain cryptography to the next level. "There are lots of people in the investment community that are backing that technology, and that can come from two places," Spies said. "One is that they believe bitcoin as a decentralized payment instrument has some future. The other is that this idea of a block chain may lead to other applications in the future beyond bitcoin and will end up having an impact on the financial space."
Spies noted that bitcoin uses cryptography to build a distributed ledger that records transactions made back and forth to one another, and those transactions are authenticated with a digital signature. "That becomes the venue for lots of different financial applications where you have to record or notarize on transactions in a globally available kind of way," he said.
But when asked about the present state of payments, Spies was more pragmatic. "I think for the financial industry, the question is probably less about the strength of the algorithms and more about how do we architect these systems and methods so that we can keep the financial systems operating, but basically retrofit security onto it, because it's not as if we can shut these systems down, secure them and then turn them back on," he said. "The engine has to keep humming."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.