Voltage Security Inc. and RSA, the security division of EMC, are exchanging blows over the best way to protect credit card data during the payment process.
Both vendors have partnered with different payment processors to develop slightly different methods to protect credit card data from the point a credit card is swiped at the point-of-sale (POS) system until a transaction is complete.
Voltage is partnering with beleaguered Heartland Payment Systems Inc. The processor, which was embroiled in the largest data breach in U.S. history, has vowed to shake up the industry by developing a system that encrypts data throughout the entire payment process. It has announced E3, a system that includes new credit card terminals and format-preserving encryption software that protects credit card data throughout the payment process.
Compliance benefits of tokenization: Tokenization not only keeps confidential data out of the hands of malicious hackers, but also offers a less expensive strategy for achieving PCI compliance. Identity management and access control expert Joel Dubin defines tokenization, examines whether or not it's effective and unveils how the technology can be used as a tool for PCI compliance.
Meanwhile, RSA announced a partnership with First Data Corp. to produce a data protection process that includes both encryption of data in motion and token technology. The tokenization would be handled by the processor and be returned to merchants, while the actual credit card numbers would be stored in a secure repository maintained by First Data. The process includes new countertop terminals for merchants or the deployment of a public key file integrated into a merchant's legacy POS software.
Both processors haven't released details on pricing. First Data said it would not charge a separate fee for storage. Heartland said it wouldn't charge additional fees beyond the cost of new payment terminals.
Voltage is critical of the First Data-RSA partnership. Wasim Ahmad, vice president of marketing at Voltage, said tokenization does not have the potential to reduce scope of a PCI assessment in the same way as true end-to-end encryption.
"Specifically, the PAN capture system and all the potentially long network paths and their security to the tokenizer are in scope, as is the tokenization engine itself, the database and peripheral systems and processes if within the merchant's own environment," Ahmad said. "Also, the related methods of authenticating every single request to the tokenizer itself must be considered in scope."
But Brian Fitzgerald, vice president of marketing at RSA, dismissed Ahmad's assertion that the scope is not reduced as a result of the use of tokens. On the contrary, a merchant's data warehouses, CRM systems and systems for settlements and refunds would be out of scope of PCI DSS under the First Data Secure Transaction Management service, Fitzgerald said.
"The card number is replaced with a token value, which can't be linked back to the card number in any way," Fitzgerald said. "The tokenization server is out of scope because it resides at First Data, not in the merchant's environment."
Under the Voltage-Heartland plan, encrypted card data remains resident in the merchant's systems and even if encrypted, the data would remain in scope for PCI DSS compliance, Fitzgerald said. The data would also have to be decrypted to provide settlements and refunds, "thus creating potential vectors of attack within the merchants' systems," he said.
Voltage's Ahmad also said the First Data-RSA service could result in latency issues on legacy POS systems as they struggle to support efficient SSL sessions from the POS to the First Data tokenizer. The performance issues could require substantial hardware changes for merchants at a great cost, Ahmad said.
But RSA's Fitzgerald said First Data has solved latency issues. Extensive tests on the encryption-tokenization approach on older POS systems showed a performance impact that was less than 200 milliseconds per transaction, he said.
"In the First Data Secure Transaction Management service, public key cryptography is used to encrypt the cardholder data in the point-of-sale system and the encrypted data is then moved upstream to First Data," Fitzgerald said. "This is different from SSL in that we encrypt the data rather than the session."
Voltage's Ahmad also took issue with First Data's process of maintaining a repository of cardholder data that could be a lucrative target for attackers. The process would leave a large system footprint to attack, he said. The Heartland-Voltage system would create a repository of keys, which could be better protected, he said.
Fitzgerald said the First Data repository greatly reduces the risk of a breach since merchants would be eliminating cardholder data from their systems.
"Mr. Ahmad's claim that it is more risky having First Data store this data than it is for the merchants to store it, is like saying that it is safer to have your money hidden in your mattress rather than in a bank vault," Fitzgerald said. "First Data and RSA are essentially creating the Fort Knox of the payment processing industry."