End to end encryption – the panacea for payment security or just another commodity?
We’re all hearing a lot about end to end encryption as a security solution for the payments industry at the moment.
The message that’s been pushed out is that merchants all need to change their PEDs and introduce more recent, encryption-capable models, so that as soon as card details hit the PED, the PED encrypts the card data with a public key and sends it off to a third party payment processor, whom then decrypts it with a private key and handles authorisation and settlement.
Fair enough, sounds like a reasonable idea, but hang on… why should you even need to change round your PED estate at high cost and sign a contract with yet another third party to handle these payments?
We’ve a perfectly capable encryption device embedded on our credit cards already, aka The Chip and the card schemes are already working on what should be the real definition of end to end encryption, namely the credit card ‘encrypts’ the data (or uses an already encrypted block) and encrypts it all the way through the merchant, acquiring bank until it hits the issuer network and decrypts.
All other solutions, no matter how they’re marketed, are simply point to point encryption solutions that just push the problem upstream and into the PED.
Whilst point to point encryption serves as a stepping stone – it’s not the be all and end all, it will cost you to replace your PED estate, and whilst you might save on transaction rates by going through a decryption intermediary / payment processor, it doesn’t actually fully solve the fraud issue.
Ending on a positive note, the point to point encryption solutions on the market at the moment do help push stores into SAQ-A, as opposed to SAQ-D or a full RoC, they do lower transaction rates and they do push security upstream, leaving retailers free to actually get on with a bit of selling.
The days of card fraud are numbered, but given there’s 2.4 billion bits of plastic in the world, we’re still at least a good 2 or 3 years away from even getting a whiff of this technology.
Just don’t get left with a skipful of all singing, all dancing third generation PEDs in around 3 years time and don’t get drawn into long-term contracts or think you can depreciate your PED investment over 10 years, as it looks like you’ll need a new batch in 3… just in time for PCI DSS 3.0. 🙂