Since Heartland suffered a data breach (disclosed in January), they’ve become the poster child for end-to-end encryption. This is defined as encrypting card information from the moment it’s swiped until it reaches the card issuer. Of course, there may be some motivation provided by the fact that Heartland plans to sell a proprietary end-to-end encryption system by the end of this year. (Not sure I’d buy it from them!)
It sounds like a perfect solution, until you get into the mechanics. And that’s where the problems begin:
Hardware – Are all POS (Point of Sale) registers going to be able to handle the increased load of CPU cycles to encrypt and decrypt? It seems like all the vendors want you to use their hardware.
Software – Not all POS solutions are the same. What about companies that use registers AND online sales? Plus, there is currently no standard for what kind of encryption should be used. So you must go with a proprietary solution all the way through. How many companies can afford to replace so much materiel?
Location, location, location – Where does the data get stored? Can the database decrypt and re-encrypt? What about Call Centers, Fraud Management, or Marketing? They need to look at the information. Ultimately, where are the encryption keys stored and who/what has access to them?
Of the six vendors offering E2E, all of them require changes to POS systems.
And should this technology be implemented, it will not release businesses from complying with PCI. No, a report will still have to be delivered to the acquiring bank on an annual basis, signed by a C-level executive.
There’s no free lunch, it seems.