Security Bytes

Sep 29 2009   2:08PM GMT

Experts, vendors search for PCI’s holy grail

Robert Westervelt Robert Westervelt Profile: Robert Westervelt


The First Data-RSA partnership is pitted against the Heartland-Voltage E3 project in the payment industry race for securing transactions.

Like the Betamax vs. VHS format war or the Blu-ray vs. HD DVD scuffle, the transaction processors in the payment industry are wrestling with how to secure credit card data without affecting transaction times or strapping merchants with additional costs. So far there are two options on the table: Format-preserving encryption vs. in-motion encryption and token technology.

In June, Heartland Payment Systems Inc. announced that it would work with Voltage Security Inc. and others to design a credit card masking service called E3 that uses format-preserving encryption. Heartland CEO Robert Carr briefly mentioned the E3 project at a Sept. 17 Senate panel hearing on his company’s breach. He told the Senate Homeland Security and Governmental Affairs Committee that the goal is to make credit card data unreadable to outsiders at the point of the swipe.

Another processor is working toward the same goal. Last week, while payment industry experts met at the Mandalay Bay Resort and Casino in Las Vegas for the Payment Card Industry Security Standards Council North American Community Meeting, First Data Corp. made a broad announcement, telling the industry that it planned to take a different route. First Data said it would partner with RSA to use its tokenization technology and provide end-to-end encryption and tokenization for merchants.

Which method will win the industry’s favor is anybody’s guess. But it’s likely to be a combination of the two. First Data hasn’t provided the cost of its service, but claims it won’t slow transaction times by issuing tokens. The First Data implementation should be fairly easy for merchants. Most of the work will take place on First Data’s servers. The Heartland E3 service consists of new payment terminals. Beyond the costs associated with buying and deploying the terminals, Heartland says there would be no monthly encryption maintenance fees, no key management fees, and no activation fees. Heartland has a good website describing the E3 project and its status.

Experts largely agree that these offerings are a step in the right direction to better protect sensitive payment data. Our site experts have written extensively about tokenization. Tokenization technology is a cheaper way to comply with PCI DSS, but by no means is it a silver bullet. Experts say it helps scale down the scope of a PCI assessment by making network segmentation easier. Expert Mike Chapple explained how to implement a PCI network segmentation.

One of our best pieces of advice came last year from a former certified PCI quality security assessor (QSA). He said merchants should focus on eliminating data, not securing it. The faster the data is purged from a merchant’s systems, the less likely it will have to deal with a costly data breach.

Until a solution is embraced by the entire payment industry, attackers will continue to find holes that give them access to those coveted credit card numbers. For now, we’ll have to take a step back until a method is found that satisfies both merchants and payment processors. Maybe the winning solution hasn’t been invented yet.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Skendus
    The First Data-RSA approach that uses encryption and tokenization to protect cardholder data seems to be moving to the forefront. In fact, in a press release from August 2009, Electronic Payment Exchange (EPX) announced that it became the first payment processor to offer a true end-to-end solution that endorses and incorporates both tokenization and encryption for securing cardholder data from the card reader through the entire transaction lifecycle. Using encrypted card readers with EPX’s BuyerWall™ credit card data tokenization technology, EPX has virtually removed merchants’ point-of-sale systems and card readers from the scope of PCI compliance and has substantially eliminated merchant liability associated with the risk of processing, transmitting, and storing sensitive cardholder data. Encryption built into hardware and software at the point of sale provides strong protection against potential breaches before card numbers enter into the authorization process by immediately encoding credit card numbers upon the card swipe. Further securing the transactions, tokenization provides unsurpassed security against data breaches and identity theft after the initial card swipe by replacing account numbers with values that are meaningless to hackers and identity thieves. While others are in the research and development phases of building solutions that use both encryption and tokenization, EPX's solutions are already in production.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: