The industry is all abuzz about “end-to-end encryption” — but what does that really mean? A clear definition is required if we’re to fairly evaluate the various products claiming to employ this technology.

Heartland defines end-to-end encryption as spanning four zones of the card processing ecosystem:

1. From data entry/card read at a merchant location to the payments processor’s authorized network;
2. From entry to that network and throughout the entire processor/sub-contractor network where data is in motion;
3. While the data resides in a central processing unit (CPU) or a host security module (HSM). An HSM is a specialized server that locks down information;
4. In storage where data is at rest.

Some technologies that claim to have end-to-end encryption actually feature “point-to-point” safeguards — encrypting the data between each zone when data is in transit, leaving the information in the clear and vulnerable at other points.

Business owners desperately need providers to be transparent about how far and wide their security protection spans so merchants can make educated decisions about the best security solution for their businesses. The industry can and should help on this front.

At the end of May, the Secure POS Vendor Alliance (SPVA) — on which I serve as associate member director —released its End-To-End Encryption Security Requirements. The requirements define end-to-end encryption as “a system in which sensitive cardholder data is encrypted upon entry into the POS device and transmitted encrypted to the payment processor.” These standards provide a solid foundation that security solutions can be measured against and have been needed for quite some time. They are a step in the right direction and will hopefully incite other industry organizations to take similar action for the good of business owners and the payments industry alike.