End-to-end encryption, dynamic cryptograms and EMV are all options being considered to protect payment transaction data in the U.S. The goal is to prevent data breaches, such as the one with Heartland Payment Systems in 2008, and make it easier for merchants and processors to secure the information.
It’s estimated that tens of million of payment card numbers were compromised when hackers planted malicious software in Heartland’s system. Processors and merchants are supposed to comply with the Payment Card Industry Data Security Standard, a specification that many say is confusing, onerous and doesn’t do enough to protect payment card information.
End-to-end encryption is the technology being discussed most often as a solution to payment card woes. The problem though is that there are no standards around it and definition of what it is vary.
“End-to-end encryption uses a form of cryptography that hasn’t been blessed yet,” says Sid Sidner, director of security engineering and master engineer at ACI Worldwide, a payment card software provider. “People would feel better if there were a standardized form.”
But providers are working on standardizing an encryption solution. Heartland Payment Systems, the fifth-largest payments processor in the U.S., is in the soft launch for a product that it hopes the industry will accept, says Steve Elefant, chief information officer and architect of Heartland’s E3, it’s end-to-end encryption product.
Heartland’s definition of end-to-end encryption requires that the data is secured from the time it leaves the mag stripe, through the point-of-sales terminal, over the wires, through its processing network until it’s delivered to the card brands, Elefant says. “We have it protected for the entire lifecycle of the transaction,” he adds.
This required the payment processor to come up with new hardware and software, Elefant says. Heartland looked at the existing payments terminals and didn’t find anything that fit its needs so it created its own. The new terminal features a tamper resistant security module (TRSM) that if tampered with will wipe out the security keys and make it inoperable.
“The realization we came to is there is no such thing as secure software,” Elefant says. “The prevalence of malware and sniffers is so great that if you’re going to have security you need physical and logical security and that’s what we do with the encryption of the TRSM. The bad guys have gotten really smart and we want to build the firewalls that keep them out but if they do get in the data won’t be usable.”
E3 has other security features as well, Elefant says. The system does dynamic data authentication, which makes sure the card has not been fraudulently created. The system also does tokenization of the payment card information.
While Heartland’s E3 is a homegrown technology, the company is working with payment standards groups to change that and expand its reach, Elefant says. “We need to define end-to-end encryption so things aren’t proprietary,” he says. “Protection against bad guys shouldn’t be a competitive differentiator.”
Still, Elefant also doesn’t think the technology should be mandated. “We’re offering it to merchants to be more secure and make transactions more secure,” he says. “We never anticipate we’ll have 100% adoption of end-to-end encryption.”
But Heartland is attempting to make it an appealing option for merchants. The company is lobbying the PCI Council so that any merchant using the system would be in compliance with the data security standards. There are also discussions with the card brands to potentially lower interchange fees for merchants as well.
“The brands can reduce the interchange cost and then after some point in time if you don’t move to it they’ll charge you more,” Elefant says.
The Smart Card Alliance has another idea, contactless smart cards with dynamic cryptograms, says Randy Vanderhoof, executive director of the organization. The advantage is the contactless cards that U.S. banks have issued already use this technology.
When a consumer taps the contactless card on a reader, it’s not the static credit card number that’s transmitted but the dynamic cryptogram. “We need to shift the conversation from contactless being a convenience product to have it also be considered a strategy to improve security and reduce fraud,” Vanderhoof says.
The alliance posits that contactless has a number of advantages, including less of an impact on the payments acceptance infrastructure for merchants, acquirers and issuers; enabling merchants to implement a solution more quickly and without waiting for new standards; and reducing the threats posed by cloning magnetic stripe-based cards and stealing cardholder data.
Chip and PIN
EMV is frequently mentioned as a solution, Sidner says. Most industrialized countries, including all of Europe, Canada and Mexico, have either made the switch or are in the process of changing.
The knock against chip and PIN is it’s high cost and the long time lines for deployment. Estimates range from $15 billion to $30 billion and three to five years to deploy EMV in the states. Banks would have to reissue all cards, merchants would have to deploy new terminals and the backend infrastructure from the processors would have to be implemented.
Heartland announced its putting chip and pin technology into its E3 terminal so there is the ability of future expansion as the brands like MasterCard speak more about EMV type technology in U.S.
Sidner says it’s just a matter of time before the U.S. goes with EMV. “In some ways it’s inevitable,” he says. “European issuers still have to put mag stripes on the back of the cards because of the U.S. There’s lots of card not present fraud in the U.S., and because we don’t use it the power of chip and PIN is diluted.”
Chip and PIN is also a proven technology, having been deployed and tested against attacks, Sidner says. “You can buy products that have proven security and proven reliability,” he says.
That said, end-to-end encryption may have its day as well. “Heartland and the people who are working on it are trying to get something out there pretty quickly, more so than the three to five year time frame that most other technologies take,” Sidner adds.
PCI Council considers new technologies for payment card security
Mark Lobel, principal at PricewaterhouseCoopers, gave a presentation at a PCI conference on some new technologies that could be used to secure payment data. The PCI Council will begin reviewing its standard and potentially considering new technologies and Lobel’s job was briefing the council on some of those options.
After 2,000 hours of work and 160 interviews PricewaterhouseCoopers decided to focus on end-to-end encryption, tokenization, virtual terminal and magnetic-stripe imaging, Lobel says. Each of these technologies may be used as standalone systems or paired with others. EMV, or chip and PIN, wasn’t in the scope of the survey since it’s a widely deployed technology.
- End-to-end encryption would use cryptography to encode any payment data from the moment a card is swiped until it is received by the bank brand.
- Virtual terminals outsource the payment card processing system and has the merchant working with a remote system. “The backend doesn’t sit with the merchant, it’s handled by a third party,” Lobel says. Virtual terminals can be paired with end-to-end encryption.
- Tokenization would replace static credit card numbers with a unique reference number for each transaction.
- Mag stripe imaging gathers unique information from the stripe to confirm that it isn’t a cloned card.