The CIO of Heartland Payment Systems Inc. sees possible weaknesses in a new proposal brought forth by credit card processing giant First Data Corp., which uses credit card tokenization software developed by RSA, the security division of EMC.
Heartland CIO Steven Elefant, who is overseeing Heartland's E3 end-to-end encryption solution, said the First Data process may pose a greater security risk, since the credit card data is being replaced with tokens early on in the process.
"Front-end tokenization, where you take a credit card number and send it up to a token server and then send it back to the terminal, is not good because you are totally exposed from the time you swipe the card until it gets to the token server," Elefant said in an interview with SearchSecurity.com. "If you are not encrypting with very strong crypto and hardware, you don't have security."
Credit card tokenization:
First Data, RSA push tokenization for payment processing: The encryption-token service could compete against vendors offering format preserving encryption to secure payment transactions.
Experts, vendors search for PCI's holy grail: The First Data-RSA partnership is pitted against the Heartland-Voltage E3 project in the payment industry race for securing transactions.
The payment industry is trying to find a way to better secure credit card data in the wake of a number of high-profile data breaches. Heartland, which is embroiled in one of the largest data breaches in U.S. history, has vowed to force the payment industry to adopt end-to-end encryption throughout the entire payment process. But other payment processors have since come forward with different plans to protect credit card data, including First Data and RBS WorldPay, which also experienced a major breach.
First Data, which announced its partnership with RSA last month, said it encrypts data from the time it is captured by the merchant's existing point-of-sale application. Once the credit card data reaches First Data's authorization switch, it is decrypted and the card number is replaced by a token and sent to the merchant. By contrast, Princeton, NJ-based Heartland is working with Voltage Security Inc. to encrypt data within hardened E3 payment terminals called a tamper resistant security module. The encrypted card data is sent to Heartland's authorization switch and then onto the card brands which replace the card data with a token-like automated reference number. Heartland stores the returned automated reference number in the event merchants need to settle disputes or other discrepancies.
"The tokens are actually created by the brands when we send in the transaction," Elefant said. "We take that with the time and date and the last four digits of the card and we have all the information we need to go into our encrypted data storage to provide transaction data for our customers."
Elefant said Heartland is also working with the Accredited Standards Committee X9 (ASC X9 Inc.), the financial industry's standards body, to develop a standard definition of end-to-end encryption that the entire payment industry can embrace. According to Elefant, Heartland's definition of true end-to-end encryption begins once the personal account number (PAN) is transferred from the magstripe on the consumer's card, and is turned from analogue to digital data all the way through the terminal and host processing network until it is securely delivered to the card brands.
"When we peel back the onion and look at the so-called end-to-end solutions out there, we find that they're really point-to-point solutions," Elefant said. "They may be secure from a terminal to a store controller or from a store controller to a gateway, but that's not end-to-end encryption, that's point-to-point."
The process of creating a standard is slow, but Elefant said he is confident the process is being sped up because of the need to better protect cardholder data. Heartland is also on a Payment Card Industry Security Standards Council special interest group studying end-to-end encryption. The group could recommend changes to PCI DSS next year.