Posted by: Robert Westervelt
data security, PCI compliance, tokenization
The First Data-RSA partnership is pitted against the Heartland-Voltage E3 project in the payment industry race for securing transactions.
Like the Betamax vs. VHS format war or the Blu-ray vs. HD DVD scuffle, the transaction processors in the payment industry are wrestling with how to secure credit card data without affecting transaction times or strapping merchants with additional costs. So far there are two options on the table: Format-preserving encryption vs. in-motion encryption and token technology.
In June, Heartland Payment Systems Inc. announced that it would work with Voltage Security Inc. and others to design a credit card masking service called E3 that uses format-preserving encryption. Heartland CEO Robert Carr briefly mentioned the E3 project at a Sept. 17 Senate panel hearing on his company’s breach. He told the Senate Homeland Security and Governmental Affairs Committee that the goal is to make credit card data unreadable to outsiders at the point of the swipe.
Another processor is working toward the same goal. Last week, while payment industry experts met at the Mandalay Bay Resort and Casino in Las Vegas for the Payment Card Industry Security Standards Council North American Community Meeting, First Data Corp. made a broad announcement, telling the industry that it planned to take a different route. First Data said it would partner with RSA to use its tokenization technology and provide end-to-end encryption and tokenization for merchants.
Which method will win the industry’s favor is anybody’s guess. But it’s likely to be a combination of the two. First Data hasn’t provided the cost of its service, but claims it won’t slow transaction times by issuing tokens. The First Data implementation should be fairly easy for merchants. Most of the work will take place on First Data’s servers. The Heartland E3 service consists of new payment terminals. Beyond the costs associated with buying and deploying the terminals, Heartland says there would be no monthly encryption maintenance fees, no key management fees, and no activation fees. Heartland has a good website describing the E3 project and its status.
Experts largely agree that these offerings are a step in the right direction to better protect sensitive payment data. Our site experts have written extensively about tokenization. Tokenization technology is a cheaper way to comply with PCI DSS, but by no means is it a silver bullet. Experts say it helps scale down the scope of a PCI assessment by making network segmentation easier. Expert Mike Chapple explained how to implement a PCI network segmentation.
One of our best pieces of advice came last year from a former certified PCI quality security assessor (QSA). He said merchants should focus on eliminating data, not securing it. The faster the data is purged from a merchant’s systems, the less likely it will have to deal with a costly data breach.
Until a solution is embraced by the entire payment industry, attackers will continue to find holes that give them access to those coveted credit card numbers. For now, we’ll have to take a step back until a method is found that satisfies both merchants and payment processors. Maybe the winning solution hasn’t been invented yet.