Home / Comment / Comment / Comment: US report advocates end-to-end encryption, but PCI 2.0 won’t support it frame_main_breadcrumb_about frame_main_breadcrumb_contact    
1 JUNE 2015

Card & Payments World is the well respected international newsletter providing in depth information on mobile, card and online payments and this is our daily news and resource site for subscribers who also receive 11 printed newsletters a year and three glossy magazines.

More than just a technology title. Read more

PDF Print
Wednesday, 29 September 2010 09:17
Comment: US report advocates end-to-end encryption, but PCI 2.0 won’t support it
Latest PCI deadline of September 30 looms and Version 2.0 expected in October

As we move towards the latest release of PCI DSS (Version 2.0) and new requirements for the current PCI DSS which kick in on Thursday September 30, a new research brief argues in favour of end-to-end encryption (E2EE) of card data.

Mercator reports that PCI compliance costs merchants more than US$2bn annually in the US alone, but what it fails to mention is that E2EE, which ensures that merchants never hold unencrypted card data, will not be covered by the new 2.0 PCI release, so there is no guarantee that its use will put the merchant out of scope of the regulations as advocates suggest.

The research brief has been sponsored by VeriFone Systems which is a strong advocate of E2EE, having its own data centre, and Transaction Network Services. It concludes that with card data encryption "merchants are, at last, in a position to [eliminate] a big chunk of their ongoing compliance costs and to get off of the PCI treadmill." Except that this hasn’t been agreed yet by the PCI council.

There is no doubt that the card networks, and Visa in particular, believe that E2EE is a good way of moving small merchants out of the scope of the PCI rules, by ensuring they don’t hold any card data that is not encrypted. Other organizations, mostly processors, would be responsible for storing and handling card details during the period when it has to be decrypted.

But while E2EE remains outside of the PCI DSS rules, it is difficult to see how it can be embraced by the merchant fraternity.

A recent report from Visa, covering a number of new technology development areas within the card community, including server and desktop virtualization, tokenization of regulated data, end-to-end encryption (E2EE) of card holder information and the use of cloud-based applications states: “In October 2009, Visa published the Visa Best Practices for Data Field Encryption to promote the proper encryption of sensitive card data that is transmitted, processed or stored by stakeholders throughout the payment system. As part of these best practices, Visa recommended that entities use tokens (such as a transaction ID or a surrogate value) to replace the Primary Account Number (PAN) for use in payment-related and ancillary business functions.

“Tokenization can be implemented in isolation or in concert with data field encryption to help merchants eliminate the need to store sensitive cardholder data after authorization. Entities that properly implement and execute a tokenization process to support their payment functions may be able to reduce the scope, risks and costs associated with ongoing compliance with the Payment Card Industry Data Security Standards (PCI DSS)."

How Tokenization Works
“Tokenization defines a process through which PAN data is replaced with a surrogate value known as a ‘token’. The security of an individual token relies on properties of uniqueness and the infeasibility to determine the original PAN knowing only the surrogate value. As a reference or surrogate value for the original PAN, a token can be used freely by systems and applications within a merchant environment.

“Where properly implemented, tokenization allows merchants to limit the storage of cardholder data to within the tokenization system, potentially simplifying an entity’s assessment against the PCI DSS. As a reference or surrogate value for the original PAN, a token can be used by systems and applications within a merchant environment without having to consider the security implications associated with the use of cardholder data.

“The security and robustness of a tokenization system is dependent upon the secure implementation of four critical components, and the overall management of the system and any historical data:
    Token Generation: Defines the process through which a token is generated.
    Token Mapping: Defines the process for associating a token to its original PAN value.
    Card Data Vault: Defines the central repository of cardholder data used by the token mapping process.
    Cryptographic Key Management: Defines the process through which cryptographic keys are managed and how they are used to protect cardholder and account data.”

So far however, there has been no concrete decision on whether E2EE enables merchants to escape the rules by being out of scope, or indeed, how cloud computing and other technological advances should be handled.

George Peabody, Director of Mercator Advisory Group's Emerging Technologies Advisory Service who authored the research report says end-to-end infrastructure is no longer a "difficult-to-manage" task and can be implemented as a system or through managed services.

"Today's encryption toolkit of POS terminals, software, secure network and decryption services means merchants no longer have to assume the same level of risk and responsibility for information security, exposure to breach-related fines and fees, and enterprise-wide PCI compliance audits," Peabody says.

The report notes there is much "misinformation swirling around payment card security," in particular the expectation by some that deployment of the EMV smartcard standard in the US could solve all card security issues. Noting that realization of EMV in the US "will take five to ten years of patience," Mercator's Peabody states that EMV "is not an entirely secure solution" and "cannot plug all the holes in a multi-channel world."

Peabody asserts that "today's card-number encryption technology is deployment-ready and effective" and that waiting for a smartcard-based approach "exposes merchants to unacceptable costs and losses for many years."

Absolutely right, but someone should perhaps explain to him that EMV chip & Pin and PCI DSS address card security from different directions. Chip and PIN doesn’t stop merchants holding card data and does absolutely nothing to secure Card Not Present transactions.

What we know about the PCI DSS standard requirements so far
The new PCI DSS Version 2.0 will be released at the end of October, but there is an additional deadline on Thursday 30 September 2010, requiring all level one merchants (those processing more than six million transactions per year) to adhere to the original v1.2 guidelines or face the consequences of non-compliance.  

The deadline also affects level two, three and four merchants.  From here forward, any smaller company suffering a breach will be automatically moved up to level one status, resulting in additional policies, procedures and higher costs. 

With this latest deadline looming – and the penalties for non-compliance more costly and onerous than ever – merchants have become more focused on achieving compliance.  

PCI DSS Version 2.0
The Payment Card Industry (PCI) Securities Standards Council (SSC) have developed new versions of the PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS) for release at the end of October, which will then last three years in implementation.

After that period, there will be a one-year sunset before the next generation of PCI standards take over.

This is based upon the new agreement in the cards markets which means that every three years a new standard is released to keep up with market and technology change, with a year to implement the new standards and phase out the old one.

It is disappointing that Version 2.0 will not be covering E2EE because it offers a major benefit for small merchants not able or willing to put in compex and expensive data security systems.

Using tokenization E2EE ensures that the encrypted cardholder data transmitted is not the same as the original cardholder data in any way. This means that even if the encrypted data were to be intercepted and somehow compromised, it would be useless to data thieves.

This is achieved by using the latest card readers, which scan and encrypt the cardholder information prior to performing an electronic payment transaction.

These sophisticated devices use Triple Data Encryption Algorithm (DES) Encryption with a Derived Unique Key per Transaction (DUKPT) to encrypt and transmit cardholder data securely over any network.

The terminals also use tokenization to ensure that the encrypted cardholder data transmitted is not the same as the original cardholder data in any way. This means that even if the encrypted data were to be intercepted and somehow compromised, it would be useless to data thieves.

So why is it that the PCI SSC is producing a new standard that appears to ignore such a key area of development?

The answer may be seen from the Mercator report. The US is woefully behind in card technology, struggling to keep its mag-stripe card base secure against mounting odds. Much of today’s card fraud is originating in the US and this can only increase as b oth Canada and Mexico move to chip and PIN.

If chip and PIN is seen as five to ten years away, then E2EE and its inevitable cost implications probably seem light years into the future. Verifone, which sits on the PCI council undoubtedly worked hard to sway opinion, but the US lobby remains all powerful, especially in the card networks. Until the benefit of both chip and PIN and E2EE rises above the cost, it is unlikely that anything further will be mandated.

It is estimated that the cost of chip and PIN migration in the US would be US$10 billion, while US banks and merchants would save a total of around $394 million dollars annually.  This currently seems a no-brainer. Especially as there is no liability shift in the US, meaning that acquirers/merchants cannot recoup the losses on bad US transactions. Little is likely to change until the world card business gets more powerful than the US one. Or until acceptance of US cards gets so low, that consumers themselves call for change.
Do you want to know more about what is going on in mobile payments, payments using cards, online payments, the advanced IC business, or to get a handle on how technology is changing just about everything in our daily lives? Card & Payments World will keep you up to date with payments, and it will fill in your technology gaps so you understand the big picture.
Find out more