The fight against fraud utilises many
tools such as online secure authentication, PCI DSS and EMV, but
data breaches still occur. Could end-to-end encryption be the
all-encompassing solution that merchants have been looking for?
Maybe, but at a cost, as Charles
End-to-end encryption (E2EE), the holy
grail of the payments industry, is well within sight, but will
saddle merchants with a hefty price tag, according to a new report
from US payment consultancy Mercator Advisory Group.
The encryption of cardholder data from the
point of sale to processors’ authorisation networks could reduce
the scope and cost of merchants’ efforts to comply with the Payment
Card Industry Data Security Standard (PCI DSS), and bring an end to
the era of high-profile data breaches that have stung card
processors again and again, reported George Peabody, principal
analyst at Mercator.
Peabody estimates that, compared to the
estimated $15 billion for an EMV deployment across the US, E2EE is
a $9.5 billion solution with the costs largely falling on the
Hefty price tag could be
Despite the high cost, Mercator
finds that the advantages to merchants of getting out from under a
large set of PCI compliance burdens may make E2EE worthwhile.
“We do know PCI DSS alone is not working,”
Peabody wrote. “Certificates of compliance document a system’s
condition at a single point in time. The slightest change such as
an improperly configured firewall can blow up PCI DSS compliance.
PCI DSS itself is updated based on forensic investigation of
breaches. Yes, PCI DSS is a necessary standard and will be with us
for the foreseeable future. But PCI, as it is defined today, while
necessary, is not sufficient.”
That is where card number encryption enters
the discussion, as a far faster and more reliable way of removing
card numbers from merchant, processor and acquirer systems.
The practical definition of E2EE is encryption
of cardholder data from the point of card number acquisition – at
the magnetic stripe reader head, the webpage, the contactless radio
receiver – through to the highest level in the processing
hierarchy, the acquiring processor, before unencrypted cardholder
data is passed through to card network and issuer systems along
secure network connections. The cardholder account number is never
in the clear on the merchant’s system.
The pain of PCI
For the merchant, there is never
storage or transmission of cardholder data over its networks and on
its systems. This reduces the scope of PCI audit requirements for
the merchant and shifts more responsibility to the processing
Peabody cites several factors spurring
merchant interest in E2EE, including the simple desire to do the
right thing and avoid the unwanted publicity attendant to data
breaches, as well as the desire to avoid card brand sanctions of up
to $500,000 per incident.
But the greatest motivator is the cost of PCI,
especially given its limited effectiveness. Given the breadth of
PCI’s reach, the growing cost of compliance and the near certainty
that new and more stringent requirements will emerge, merchants
have considerable incentives to examine end-to-end encryption.
For vendors of payment security solutions, the
home run for merchants is simply to make the pain of PCI compliance
go away, Peabody wrote. The perfect start is to stop using card
numbers on merchant systems. While no merchant can get out from
under PCI’s obligations even by banishing card numbers, E2EE does
address some of the harder DSS demands, including the protection of
stored cardholder data and the encryption of cardholder data across
public networks. E2EE also operates across the merchant’s internal
networks, a source of potential breaches.
A financial deterrent to
Ultimately, as Peabody found, E2EE
removes the economic benefit of hacking into a merchant or
processing network, which means that financially motivated
criminals will move onto something else. By making the card data on
the merchant network unusable and keeping all stored data on a
third party’s systems, the merchant is able to protect its
customers’ data, ensure its reputation for proper care and control
of that data and reduce PCI scope and cost.
To encourage development of E2EE solutions,
Peabody concludes there is precedent for incentive interchange
rates based on merchant deployment of fraud and risk controls. E2EE
deployment by a merchant qualifies as a fraud and risk control.
Since they have to play by the issuer’s rules, an incentive is
“Cyber security is not a competitive issue,”
Peabody wrote. “Any payments enterprise that rejoices at a
competitor’s data breach is whistling past the graveyard and
deserves every ghost and hobgoblin that pursues it down the
The Financial Services Information Sharing and
Analysis Centre (FA-ISAC) was established to share information
about physical and cyber security threats and vulnerabilities to
help protect US critical infrastructure. Under the FA-ISAC
umbrella, a new section dedicated to payment processors is forming.
Called the Payments Processing Information Sharing Council, its
mission is to expedite the disclosure of information and risk
mitigation strategies that are crucial in the fight against cyber
The idea is to quickly share across the
industry the most accurate and up-to-date information regarding
current cyber threats. For example, if a new attack is underway at
a bank, the bank will share it through secure PPISC facilities,
perhaps sent as a mobile alert to information security leadership
at all processors.
Such collaborative, industry-led initiatives
will go a long way toward keeping the government from mandating
specific remedies. Those are best left to the payments industry.
While the federal government is increasingly in the regulatory
business, it is better if leadership, including prescriptive
mandates, come from the payments industry itself, Peabody
“If we look beyond the payments stream,
encryption is, inarguably, a beneficial technology,” he wrote. “If
encryption does become more broadly deployed across US enterprise
and government entities – in the form of enterprise-wide
edge-to-edge encryption that protects all data assets – then we
will be the better for it.”