The E3 Blog

Not All Encryption is Created Equal

by Steven M. Elefant | Wednesday, March 30th, 2011

Despite recent debates on the topic of credit card security, there is one thing security experts and analysts agree on — the need for end-to-end encryption.

It’s no secret the payments ecosystem is vulnerable. Much like the Internet, the payments infrastructure was developed for connectivity — not for security. Now, in the face of serious threats, the industry is playing catch up to safeguard it.

Today, wherever you see mention of payment card data security, “encryption” is sure to follow. Industry analysts, like Gartner’s Avivah Litan, are vocal in their support of end-to-end encryption. In a recent Computerworld blog, she notes, “End-to-end encryption … is a good security practice, but one which is not mandated.”

Before we can reach the point of requiring merchants to implement end-to-end encryption, we must address the nature of encryption itself. Not all encryption is created equal. Software-based encryption is a nice to have, but not as secure as hardware-based encryption. Encrypting data after it has passed through a merchant system in the clear is quite different than encrypting data the moment a card is swiped in a hardware-protected tamper-resistant security module (TRSM). Protecting data during disparate stages of the transaction lifecycle, like point-to-point encryption, is hardly the same as protecting it continuously throughout the entire lifecycle, like true end-to-end encryption.

This is exactly why the industry needs encryption standards. By providing standard security requirements to govern the use of encryption to secure payment card data, merchants will be able to know plain and simple if they’re protecting their businesses from the reputational and financial risks associated with data breaches.

Last year, the Secure POS Vendor Alliance introduced its end-to-end encryption security requirements for vendors of POS devices.  The American National Standards Institute (ANSI) accredited standards committee, ASC X9 F6, is close to completion of a true standard. These are significant steps in the right direction.

Encryption standards can’t come soon enough, but the lack thereof shouldn’t stop business owners from implementing true end-to-end encryption solutions today.

Leave a Reply

 
You are now leaving E3Secure.com
You will be leaving the E3secure.com domain and entering an external link. The link provides additional information that may be useful or interesting and is being provided consistent with the intended purpose of E3secure.com. However, E3secure.com cannot attest to the accuracy of this information provided by this link or any other linked site. Providing links to a non-E3secure.com website does not constitute an endorsement by E3secure.com, Heartland Payment Systems or any of its representatives, affiliates or employees or the information or products presented on the site. Also, be aware that the privacy protection provided on the E3secure.com domain (see Privacy Policy) may not be available at the external link.
Go Back Continue