An effort to make current data security measures significantlymore secure is poised to get underway.
The Accredited Standards Committee X9, a group accredited by theAmerican National Standards Institute, is getting ready to startwork on something called the Sensitive Card Data Protection BetweenDevice and Acquiring System program, better known as end-to-endencryption.
End-to-end encryption systems encode card data information in avery secure cipher from the moment a consumer swipes their card ata point of sale terminal to the point the card issuer determineswhether to approve the transaction. At no point in the transactionprocess would the card information be accessible to anyone lackingthe technology to decipher it.
The model for the system ASC X9 and others will eventually createis the so-called triple data encryption system (Triple-DES) thatsafeguards financial information sent for transactions over ATMs.In Triple-DES, each data block is subjected to a familiar dataencryption system three times. Doing it three times would put thedata into what is considered an almost impregnable code, which hasa record that, industry sources said, speaks for itself.
Since Triple-DES was widely implemented in 2004, there have been nocases of financial information being hacked from ATMs or during ATMtransactions. In cases where information was stolen as part of ATMtransactions, the theft was accomplished by attaching somethingexternal to the ATM face to fool a consumer into entering carddata. Once in the machine, the ATM card data is secure.
“Make no mistake, I think end-to-end encryption is the way weshould go and the way I think we will go, but I have some doubtsabout these initial steps,” explained Jim Hanisch, executive vicepresident with CO-OP Financial Services, who has a lot ofexperience with the development and deployment of Triple-DES.
Hanisch said that while he whole-heartedly endorsed the Triple-DESeffort for card transactions, the current efforts were driven bytoo many different factions, including the manufacturers of pointof sale terminals, merchants and card processors.
Heartland Payment Systems, the card processor that announced aserious breach in January 2009, announced that it would host a May7 workshop to “brainstorm technical approaches to protecting data,”the company said, prior to the first ASC X9 meeting in earlyJune.
Heartland, one of the nation's largest payments processors, is amember of the ASC X9 working group. Heartland CEO Bob Carr took ahigher profile role in promoting end-to-end encryption as a meansto enhance consumer data security at all points of a paymentstransaction after his own firm had a data breach.
Critics have charged that Carr and Heartland are trying to distractattention as the company begins to defend itself from lawsuitsstemming from the breach, indicating how potentially politicizedand fractious the effort to develop end-to-end encryption couldbecome.
But Heartland is not alone in promoting end-to-end. “All players inthe payments industry have a mutual stake in protecting consumerinformation,” said Dodd Roberts, president/CEO of the MerchantAdvisory Group. “It is essential that industry leaders worktogether to eliminate all risk to personal information.” MAG, a“nonprofit industry association that brings together all parties inthe payments industry to collaborate on issues and ensure the voiceof merchants is represented,” is also as a member of ASC X9.
“Everyone says they want end-to-end encryption and to protect thepayment system, but what they really mean is that they want thosethings without having to pay too much,” estimated Chuck Cashman, aformer card executive currently with CUNA Mutual Group.
Cashman also strongly endorsed the effort to develop end-to-endencryption, but was pessimistic about actually getting such asystem developed.
Cashman pointed out that what is really being discussed is notsimply end-to-end encryption for transactions, but an overallencryption regime that could include encrypting the information oncards or using a chip and pin system already used in Europe. Healso noted that any such regime would probably have to cover datapossibly stored in merchant processors.
Merchants have argued that they have to store at least some carddata for a period of time after a transaction in order tofacilitate merchandise returns and refunds. Cashman pointed outthat even though Heartland had its data stored in an encrypted formon its servers, it was moved back and forth internally in a freeform, which was then captured by malicious software installed bydata thieves.
Lack of information also complicated developing a more securepayment system, he said. “For example, I think that the overalleffort to develop real protection for the payments system has beenhampered because no one knows the real cost of fraud,” Cashmansaid. “Before Visa and MasterCard became publicly traded companies,they used to come out with fraud information every quarter so thateveryone could see what the real cost of fraud is. Now that theyhave become publicly traded, we never see that information anymore, and no one else does either.”
Cashman said the lack of information about the real cost of fraudis significant in the encryption debate, because it deprives thediscussion of the context it needs to move forward.
–[email protected]