Abstract
Boston, MA. - June 24, 2009 -- With the US payments system under
continuous cyberattack and data breaches endemic, merchants and processors are
scrambling to protect their data assets and cardholder data in particular.
Card data encryption turns valuable data into worthless bits and bytes,
eliminating the economic incentive for a cyberattack.
In a new report, End-to-End Encryption: The Acquiring Side Responds to Data
Loss and PCI Compliance, Mercator Advisory Group explores end-to-end
encryption (E2EE) in the hands of merchants, payment service providers and
processors. In the face of the three bogies of PCI DSS compliance and
penalties, reputational risk and direct financial loss, the acquiring half of
the payments process is evaluating options for eliminating cleartext
cardholder data from their systems. Tokenization (the subject of a recent
Mercator report) and end-to-end encryption are the leading candidates. This
report examines the complexity of E2EE within payments and enterprise security.
“End-to-end encryption' s beauty is very much in the beholder' s eye. If
you' re a Tier one merchant in no mood to risk the reputational crisis of a
data breach, using E2EE to rid your network of card data is a good
move,”George Peabody, Director of Mercator Advisory Group' s Emerging
Technologies Advisory Service and principal analyst on the
report.“E2EE also reduces the scope of PCI compliance audits and
remediation costs but the beauty of encryption and card security will likely
be lost on millions of Tier 4 merchants. Strong sales incentives and messaging
will be required to have them join in the data protection fight.”
Highlights of the report include:
- End to end encryption (E2EE) is a long forestalled rational reaction to
data breaches and PCI DSS audit costs.
- The advantages to merchants of getting out from under a large set of PCI
compliance burdens may make E2EE worthwhile.
- Defining the "ends" in E2EE is a key step for every deployment.
- The encryption zones under a processor' s control - from the merchant' s
magstripe reader to the interconnection point with card brand or issuer -
appear to be a manageable domain where the burdens of key management and new
POS gear equal the benefits.
- Standards development is in early days. A new working group under ASC X9
has brought together the key stakeholders, some of whom have sharply diverging
goals.
This report contains 36 pages and 7 exhibits.
Companies and programs mentioned in this report include: Hypercom,
VeriFone, Ingenico, MagTek, Magensa, Heartland Payment Systems, Visa,
MasterCard, RBS Worldpay, RSA, Prime Factors, Verizon Business, Voltage
Security, Semtek, Futurex, SafeNet, Transaction Network Services (TNS),
Thales, Atos wordlwide, HP Attala, Banco de Credito e Inversiones, Propay,
Fifth Third Bancorp, and EMVCo.
Table of Contents
- Introduction
- The Global Cyber War is Already Underway
- “What a Revoltin' Development This Is!”
- Merchant Incentives
- Security Guiding Principles
- End-to-End Encryption Defined
- A Note on Encryption and Cryptographic Engineering
- Encryption Approaches
- Preserve that Format
- Key Management
- It's in the Details
- Vendors
- Heartland Payment Systems
- Step 1 - Vertical Integration
- Step 2 - The New POS Terminal
- Step 3 - Don't Break the Middle
- Step 4 - Tying (Most of) the Ends Together
- PCI Compliance, Liability Shift and a Pile of Straw
- VeriShield Protect - VSP
- Semtek
- The Service Provider Play - Transaction Network Systems
- Propay - Another Service Provider
- MagTek and Magensa
- Hypercom
- Enterprise Encryption Software
- Standards - All Deliberate Speed
- ASC X9
- Secure POS Vendor Alliance - SPVA
- Conclusions
- Give ‘Em a Carrot
- Cyber Security Takes Aggressive Collaboration
- We Need Encryption Standards
- What's It Going to Cost?
- End-to-end vs. Point-to-Point, You Choose, You Define
- The Asymmetric Payments Ecosystem
- Encryption is not Authentication
Table of Figures
- Figure 1: The Matryoshka Doll Problem
- Figure 2: Estimated Tier 1 Merchant PCI Cost Savings with E2EE
- Figure 3: Encryption Security Zones
- Figure 4: Encryption Flow through Zones
- Figure 5: TNS network deployment of VeriShield Protect
- Figure 6: No Shortage of Global Security Standards
- Figure 7: Where Ends Meet
| 
