Encryption has become a political hot potato for the Payment Card Industry Security Standards Council as it compiles a list of validated encryption vendors and services and leaves off some companies that say they deserve to be recognized as secure.
At least one company left off the list questions some of the requirements, while those validated through PCI say encryption is a process that can't leave any room for error. The PCI Council first introduced its encryption standards in 2011.
Las Vegas-based payment gateway provider Shift4 says it has developed a strong encryption process over its 20 years as a payments vendor, but its disagreement with the PCI Council over the use of a hardware security module, or hosted security module, has left its system off the validated vendor list. The hardware security module has been a key aspect of PCI's requirements from the outset.
Shift4 does not want to use a hardware security module that is not part of its encryption service, said Bob Lowe, vice president of development at Shift4.
"They want us to put an HSM, an untouchable box, in our environment and introduce someone else's code," Lowe said. "If the HSM fails, the merchant can't process transactions."
A hardware security module "is not the right answer" for industry professionals who have been using encryption and key management for several years and have been certified in the past by card associations, Lowe added.
The PCI council insists that a hardware-based approach is easier to secure. Using software rather than an HSM for key management in an encryption service can be "very risky and insecure if not done correctly," said Troy Leach, chief technology officer for PCI. "It takes a rigorous and strenuous approach to do it securely."
Regardless of whether an HSM comes into play, merchants have to use encryption if they want to lessen the chance for a major breach, said Nathan Casper, marketing manager at Shift4.
Target, for example, fast-tracked its adoption of EMV-chip card technology after reporting its own major data breach over a year ago, but "even if Target or Home Depot or the other merchants breached had EMV, there would still have been clear-text data coming out of the back end of those machines from the point of sale," Casper said.
EMV-chip cards add protection against counterfeiting with unique transaction cryptograms, but point-to-point encryption protects the personal account number and expiration date as it flows through a network. Without it, "EMV is really worthless as far as security," Casper added.
Luckily, many of the new terminals that merchants will buy for EMV acceptance will also support encryption services, said Ruston Miles, chief innovation officer at Atlanta, Ga.-based Bluefin Payment Systems. Bluefin was the first North American vendor to have its encryption service validated through PCI.
Miles challenged the notion that if an HSM fails, transactions halt.
"It has to be an HSM that has been validated as tamper-resistant, one that would change the keys if someone tried to get in," he said. The modules are generally connected in a way that "it would be foolish to implement one that, if it went down, all of the keys were dead," he added.
As such, the PCI council won't budge from its stance on the HSM because it secures the key to the encryption system, Miles said.
It is frustrating for a vendor to potentially lose sales because it is not validated through PCI, said Julie Conroy, research director and fraud expert with Boston-based Aite Group. "But you have to have a set of minimum standards somewhere," Conroy said.
Shift4 has a legitimate concern as a company that has sold encryption services for a long time and has a good methodology, Conroy said. But without PCI standards, the industry would have to validate each vendor on a case-by-case basis, she added.
"All of a sudden, it becomes very bureaucratic and expensive," Conroy said. "There is no ideal way to do this, unfortunately."
It would be a mistake, though, for merchants to believe that encryption could take the place of EMV-chip cards, she said.
Counterfeit card fraud reached $3 billion in the U.S. in 2014, up from $2 billion in 2012, Conroy said. "It is easy pickings and the fraudsters see their window of opportunity closing on this, which is why we are in the 'breach of the week' mode in the industry."