A data encryption method that Heartland Payment Systems CEO Robert Carr swears by has received high-level acceptance as part of a new standard.
When Heartland Payment Systems suffered its data breach in 2009, it rocked the payments industry and sent Carr quickly searching for extra security. He found it in a tamper-resistant security module made in Taiwan and encryption standards that a company called Voltage Security had been developing for a couple of years.
Last week, the National Institute of Standards Technology accepted this technology into a new advanced encryption standard called FFX format-preserving encryption mode.
"Really, I don't understand why everyone in the world hasn't gone to this form of encryption," Carr said. "The data is of no value to the bad guys."
Hewlett Packard acquired Voltage Security a year ago and kept moving forward with its HP Enterprise SecureData encryption service, which it says already protects billions of transactions in Web and payments processing, mobile apps and Big Data systems.
The new NIST standard means the encryption formatting at the foundation of HPE's SecureData becomes available to other organizations and government agencies.
The beauty of format-preserving encryption is that it allows a company to store, move and even use encrypted data without constantly having to decrypt or change the formats of transaction data, Carr said. The standard also reduces threats from insiders, malware and advanced external attacks to systems, Carr added.
"We had our breach in January of 2009 and got started that February to get 82,000 devices built and deploy the encryption," Carr said. "And it worked in our network and for our merchants."
If another hacking attempt ever forced Heartland's hand, the company "could change the key for every single transaction, because it is all possible with this solution," he added. End-to-end encryption operates through a private key process for unlocking the data.
In addition, Heartland can change the keys to the encryption "every time there is a new batch of data," Carr said. "If bad guys broke in, and no one has come close to doing so that we know of, they would get just one batch of encrypted data."
President Obama recently nominated Carr to serve on the National Infrastructure Advisory Council as part of an initiative to develop awareness and defenses against cyber attacks.
The continued efforts of Hewlett Packard and other security providers through NIST is important for the payments and financial industries as technology continues to advance, said Ben Knieff, senior analyst and fraud expert at Aite Group.
"It is excellent to have open and vetted standards which can guide organizations in decision making on where and how to implement encryption, and especially support end-to-end encryption of financial data and other personal data," Knieff said.
Even seemingly innocuous data and communications generated by the Internet of Things could be used "for nefarious purposes ranging from annoying to life-threatening," Knieff added. "Strong encryption helps enable security very broadly, even when the need for encryption is not immediately obvious."
The new mode enables organizations to encrypt sensitive personal data without completely revamping existing IT infrastructure, thus lowering costs for users, said Terence Spies, distinguished technologist for HPE Data Security, and former chief technology officer of Voltage Security.
In addition, merchants using encryption save money on compliance with the Payment Card Industry data security standards, Spies added.
"NIST establishes federal processing standards and a certification program for crypto modules," Spies said. "We anticipate being one of the first crypto modules through that process that will implement the encryption, which will allow us to bring this technology into the federal market and some other places that require that NIST certification."
When operating as Voltage Security, the company initially made its proposal to NIST about five years ago. "We made the technology submission and began working with other academia to refine the technology to what the specification is right now," Spies said.
Ultimately, Heartland laid the groundwork for Voltage and Hewlett Packard to strengthen the encryption service and make it more readily available, Spies said.
"Heartland did an amazing job in saying it was not going to store clear text card data anymore," Spies added. "Now we are seeing it adopted more, and it was the right approach to take on this."
Since the introduction of EMV chip cards in the U.S. in the past year, technology providers have encouraged any company accepting, transmitting or storing card data to establish EMV at the point of sale to thwart counterfeit fraud, end-to-end encryption for data in flight, and tokenization for data at rest.
In that regard, even the new NIST standard and format-preserving encryption cannot take the place of EMV, which focuses solely on authorizing cardholders at the point of sale. Still, future development of encryption may spread into other areas that need stronger security.
As providers and NIST move forward, it will be critical they continue to look for stronger and more efficient encryption algorithms, Aite's Knieff said. "This is a standard that will need to be revised rather frequently to keep up with growing computer power and constant attempts to break encryption."