The fight against fraud utilises many tools such as online secure authentication, PCI DSS and EMV, but data breaches still occur. Could end-to-end encryption be the all-encompassing solution that merchants have been looking for? Maybe, but at a cost, as Charles Davis reports.
End-to-end encryption (E2EE), the holy grail of the payments industry, is well within sight, but will saddle merchants with a hefty price tag, according to a new report from US payment consultancy Mercator Advisory Group.
The encryption of cardholder data from the point of sale to processors’ authorisation networks could reduce the scope and cost of merchants’ efforts to comply with the Payment Card Industry Data Security Standard (PCI DSS), and bring an end to the era of high-profile data breaches that have stung card processors again and again, reported George Peabody, principal analyst at Mercator.
Peabody estimates that, compared to the estimated $15 billion for an EMV deployment across the US, E2EE is a $9.5 billion solution with the costs largely falling on the merchants themselves.
Hefty price tag could be worthwhile
Despite the high cost, Mercator finds that the advantages to merchants of getting out from under a large set of PCI compliance burdens may make E2EE worthwhile.
“We do know PCI DSS alone is not working,” Peabody wrote. “Certificates of compliance document a system’s condition at a single point in time. The slightest change such as an improperly configured firewall can blow up PCI DSS compliance. PCI DSS itself is updated based on forensic investigation of breaches. Yes, PCI DSS is a necessary standard and will be with us for the foreseeable future. But PCI, as it is defined today, while necessary, is not sufficient.”
That is where card number encryption enters the discussion, as a far faster and more reliable way of removing card numbers from merchant, processor and acquirer systems.
The practical definition of E2EE is encryption of cardholder data from the point of card number acquisition – at the magnetic stripe reader head, the webpage, the contactless radio receiver – through to the highest level in the processing hierarchy, the acquiring processor, before unencrypted cardholder data is passed through to card network and issuer systems along secure network connections. The cardholder account number is never in the clear on the merchant’s system.
The pain of PCI compliance
For the merchant, there is never storage or transmission of cardholder data over its networks and on its systems. This reduces the scope of PCI audit requirements for the merchant and shifts more responsibility to the processing community.
Peabody cites several factors spurring merchant interest in E2EE, including the simple desire to do the right thing and avoid the unwanted publicity attendant to data breaches, as well as the desire to avoid card brand sanctions of up to $500,000 per incident.
But the greatest motivator is the cost of PCI, especially given its limited effectiveness. Given the breadth of PCI’s reach, the growing cost of compliance and the near certainty that new and more stringent requirements will emerge, merchants have considerable incentives to examine end-to-end encryption.
For vendors of payment security solutions, the home run for merchants is simply to make the pain of PCI compliance go away, Peabody wrote. The perfect start is to stop using card numbers on merchant systems. While no merchant can get out from under PCI’s obligations even by banishing card numbers, E2EE does address some of the harder DSS demands, including the protection of stored cardholder data and the encryption of cardholder data across public networks. E2EE also operates across the merchant’s internal networks, a source of potential breaches.
A financial deterrent to fraudsters
Ultimately, as Peabody found, E2EE removes the economic benefit of hacking into a merchant or processing network, which means that financially motivated criminals will move onto something else. By making the card data on the merchant network unusable and keeping all stored data on a third party’s systems, the merchant is able to protect its customers’ data, ensure its reputation for proper care and control of that data and reduce PCI scope and cost.
To encourage development of E2EE solutions, Peabody concludes there is precedent for incentive interchange rates based on merchant deployment of fraud and risk controls. E2EE deployment by a merchant qualifies as a fraud and risk control. Since they have to play by the issuer’s rules, an incentive is deserved.
“Cyber security is not a competitive issue,” Peabody wrote. “Any payments enterprise that rejoices at a competitor’s data breach is whistling past the graveyard and deserves every ghost and hobgoblin that pursues it down the road.”
The Financial Services Information Sharing and Analysis Centre (FA-ISAC) was established to share information about physical and cyber security threats and vulnerabilities to help protect US critical infrastructure. Under the FA-ISAC umbrella, a new section dedicated to payment processors is forming. Called the Payments Processing Information Sharing Council, its mission is to expedite the disclosure of information and risk mitigation strategies that are crucial in the fight against cyber criminals.
The idea is to quickly share across the industry the most accurate and up-to-date information regarding current cyber threats. For example, if a new attack is underway at a bank, the bank will share it through secure PPISC facilities, perhaps sent as a mobile alert to information security leadership at all processors.
Such collaborative, industry-led initiatives will go a long way toward keeping the government from mandating specific remedies. Those are best left to the payments industry. While the federal government is increasingly in the regulatory business, it is better if leadership, including prescriptive mandates, come from the payments industry itself, Peabody wrote.
“If we look beyond the payments stream, encryption is, inarguably, a beneficial technology,” he wrote. “If encryption does become more broadly deployed across US enterprise and government entities – in the form of enterprise-wide edge-to-edge encryption that protects all data assets – then we will be the better for it.”