This article appears in the June 9, 2009, edition of ISO&Agent Weekly.
Many industry professionals contend complete encryption of cardholder data throughout the entire transaction process will help mitigate security breaches.
The challenge of attaining complete encryption, however, will be convincing merchants to pay to upgrade their point-of-sale technology to terminals that encrypt cardholder data when the consumer swipes a payment card, according to some observers.
Most respondents to a recent Aite Group LLC survey expected complete encryption to have the most positive impact on card fraud. Ninety-two percent of respondents considered complete encryption to have a "high" to "very high" impact on reducing security losses within the next three years, according to the Aite report "Card Data Security: In Search Of A Technology Solution."
ISOs hoping to boost their sales of encryption-enabled terminals to merchants may face a difficult challenge. "As long as the cost of fraud is not surpassing the cost of implementing a new [product], most players will avoid sinking hard dollars into it," says Adil Moussa, an analyst at Boston-based Aite. "Merchants will try to avoid incurring new costs for new terminals."
The challenge for proponents of complete encryption, such as processor Heartland Payment Systems Inc., will be to convince merchants to purchase updated terminals, agrees George Peabody, a Mercator Advisory Group Inc. principal
analyst and author of the report "End to End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance." He estimates POS terminal-replacement costs across all merchant tiers in the United States at $4.8 billion. Mercator is based in Maynard, Mass.
Merchants reluctant to replace their existing equipment with updated models that meet security standards is not a new phenomena.
The cost of complying with the Payment Card Industry Data Security and PIN Entry Device standards and a lack of understanding regarding requirements has caused some Level 4 merchants to resist compliance. Level 4 merchants process fewer than 1 million Visa transactions annually.
A primary reason some smaller merchants resist becoming compliant is they do not understand the need for it, Deanna Rich, president of Van Nuys, Calif.-based Rich Consulting, said during the Electronic Transactions Association Compliance Day event in Dallas in November. Some Level 4 merchants also are reluctant to replace noncompliant software and hardware with updated versions that meet PCI standards, Rich said. "Merchants say 'I have something; it works,'" she said.
Despite merchants' historic reluctance to pay for updated technology, Heartland Chairman and CEO Bob Carr contends merchants that "understand the vulnerabilities of sending" unencrypted data from point-of-sale terminals "will make a relatively small capital investment in technology" to reduce their ongoing breach liability and the annual costs and effort associated with PCI certification.
Encryption of cardholder data from the point-of-sale terminal to the authorization network of the processor could benefit merchants by reducing the scope and cost of their PCI compliance, according to Peabody's report.
With encryption from the point of sale to the processor, merchants do not store or transmit unencrypted cardholder data over their networks or systems, according to the report. By completely encrypting cardholder data, a merchant already has addressed certain PCI requirements, including protecting cardholder data (Requirement 3), encrypting cardholder data across public networks (Requirement 4) and restricting physical access to data (Requirement 7), states the report. The PCI standard is organized into 12 requirements.
However, there is no guarantee that using encryption will make things easier for merchants under PCI. "It's up to the PCI security council to tone down the requirement if you're encrypting end to end," says Avivah Litan, a vice president at the market research firm Gartner Inc., a Stamford, Conn.-based market-research firm.
Heartland Encryption Test
Princeton, N.J.-based Heartland last week completed its first test of a complete encryption system designed to protect the cardholder data it handles from being hacked.
The processor, which disclosed a major breach in January, had run transactions from the four major card brands on its encryption system. However, Visa Inc., MasterCard Wordwide, American Express Co. and Discover Financial Services do not accept encrypted data from Heartland, so it had to decrypt the data to complete the transactions.
More than one of the card brands should be set up to handle encrypted data in the first quarter of next year, though Heartland plans to begin selling the system even if the card brands are not ready by that time, according to the processor.
Though the company was working on an encryption system before its well-publicized breach, the incident led them to accelerate the project and discuss it publicly, according to Heartland executives
If merchants embrace its new system, it should ease some of their lingering worries about PCI, says Steven M. Elefant, Heartland executive director of complete encryption.
"PCI is a good start, but PCI in and of itself does not keep people secure, so it has to be extended," Elefant says. "Part of what we offer with [complete encryption] is that the merchant will never have the ability to decrypt a card," so it would not be capable of exposing data.
Heartland plans to indemnify users of its encryption system of any fines they would be assessed under PCI if any incidents should occur after they put the
system in place, he says.
Heartland tested the system at a Plano, Texas-based car wash. Over the course of the year, Heartland will repeat the test with hundreds of merchants, Elefant says.
Payment Process Zones
The payment process can be divided into five zones, says Heartland. The first zone is the card reader owned by the merchant, and the processor controls the next three zones. The fifth zone is the handoff to the card brands.
Without encryption, "all those transactions are in an open, clear-text format where anybody who is trying to sniff or capture or introduce malware can get that transaction information," Elefant says.
Under Heartland's encryption system, the first six and last four digits of the account number are kept clear, but the rest are scrambled. This gives the merchant enough information to identify the account for repeat transactions but not enough for a fraudster to use the card if the data were stolen, Elefant says.
Though some have talked up the benefits of encryption, the card brands have not yet publicly committed to Heartland's system.
Daniel Wolfe, a reporter for American Banker, also contributed to this article.