An effort to make current data security measures significantly more secure is poised to get underway.
The Accredited Standards Committee X9, a group accredited by the American National Standards Institute, is getting ready to start work on something called the Sensitive Card Data Protection Between Device and Acquiring System program, better known as end-to-end encryption.
End-to-end encryption systems encode card data information in a very secure cipher from the moment a consumer swipes their card at a point of sale terminal to the point the card issuer determines whether to approve the transaction. At no point in the transaction process would the card information be accessible to anyone lacking the technology to decipher it.
The model for the system ASC X9 and others will eventually create is the so-called triple data encryption system (Triple-DES) that safeguards financial information sent for transactions over ATMs. In Triple-DES, each data block is subjected to a familiar data encryption system three times. Doing it three times would put the data into what is considered an almost impregnable code, which has a record that, industry sources said, speaks for itself.
Since Triple-DES was widely implemented in 2004, there have been no cases of financial information being hacked from ATMs or during ATM transactions. In cases where information was stolen as part of ATM transactions, the theft was accomplished by attaching something external to the ATM face to fool a consumer into entering card data. Once in the machine, the ATM card data is secure.
“Make no mistake, I think end-to-end encryption is the way we should go and the way I think we will go, but I have some doubts about these initial steps,” explained Jim Hanisch, executive vice president with CO-OP Financial Services, who has a lot of experience with the development and deployment of Triple-DES.
Hanisch said that while he whole-heartedly endorsed the Triple-DES effort for card transactions, the current efforts were driven by too many different factions, including the manufacturers of point of sale terminals, merchants and card processors.
Heartland Payment Systems, the card processor that announced a serious breach in January 2009, announced that it would host a May 7 workshop to “brainstorm technical approaches to protecting data,” the company said, prior to the first ASC X9 meeting in early June.
Heartland, one of the nation's largest payments processors, is a member of the ASC X9 working group. Heartland CEO Bob Carr took a higher profile role in promoting end-to-end encryption as a means to enhance consumer data security at all points of a payments transaction after his own firm had a data breach.
Critics have charged that Carr and Heartland are trying to distract attention as the company begins to defend itself from lawsuits stemming from the breach, indicating how potentially politicized and fractious the effort to develop end-to-end encryption could become.
But Heartland is not alone in promoting end-to-end. “All players in the payments industry have a mutual stake in protecting consumer information,” said Dodd Roberts, president/CEO of the Merchant Advisory Group. “It is essential that industry leaders work together to eliminate all risk to personal information.” MAG, a “nonprofit industry association that brings together all parties in the payments industry to collaborate on issues and ensure the voice of merchants is represented,” is also as a member of ASC X9.
“Everyone says they want end-to-end encryption and to protect the payment system, but what they really mean is that they want those things without having to pay too much,” estimated Chuck Cashman, a former card executive currently with CUNA Mutual Group.
Cashman also strongly endorsed the effort to develop end-to-end encryption, but was pessimistic about actually getting such a system developed.
Cashman pointed out that what is really being discussed is not simply end-to-end encryption for transactions, but an overall encryption regime that could include encrypting the information on cards or using a chip and pin system already used in Europe. He also noted that any such regime would probably have to cover data possibly stored in merchant processors.
Merchants have argued that they have to store at least some card data for a period of time after a transaction in order to facilitate merchandise returns and refunds. Cashman pointed out that even though Heartland had its data stored in an encrypted form on its servers, it was moved back and forth internally in a free form, which was then captured by malicious software installed by data thieves.
Lack of information also complicated developing a more secure payment system, he said. “For example, I think that the overall effort to develop real protection for the payments system has been hampered because no one knows the real cost of fraud,” Cashman said. “Before Visa and MasterCard became publicly traded companies, they used to come out with fraud information every quarter so that everyone could see what the real cost of fraud is. Now that they have become publicly traded, we never see that information any more, and no one else does either.”
Cashman said the lack of information about the real cost of fraud is significant in the encryption debate, because it deprives the discussion of the context it needs to move forward.
–[email protected]