Fresh off of announcing a massive data breach at his company in 2009, Bob Carr, CEO of Heartland Payment Systems, said the payment processing giant would force the industry to make fundamental changes in the way it protects credit card data.
Carr said end-to-end encryption was the best way to protect cardholder data from the time a person swipes their credit card at a payment terminal to the approval of the transaction at the credit card brand. But a panel of industry experts at RSA Conference 2010 said end-to-end encryption doesn't have much meaning.
"End-to-end encryption is just a marketing term," said John Sheets, senior business leader, payment technology development at Visa Inc. and chairman of the ASC X9F6 and ISO TC68/SC2/WG13 Security in Retail Financial Services working groups. "In the standards world we have a lot of heated discussions about where is the beginning and end point. At Visa, instead of focusing on the endpoints, we focus on what the requirements are for when you choose to protect data with encryption."
Steven Elefant, chief information officer of Heartland Payment Systems defended his company's technology. It has been working with Voltage Security Inc. on an E3 processing system, which includes new payment terminals that Elefant says will encrypt the data at the time a card is swiped and maintains it until the transaction is approved at the card brand.
"Had we have had encryption we wouldn't have had a breach," Elefant said. "The ends are important; the ends we can control from the point-of-sale until we can securely deliver that transaction to the brands."
Elefant, who took the job at Heartland after the breach was made public, admitted that end-to-end encryption isn't a silver bullet, but it would be a big step in protecting cardholder data as part of a defense in depth approach.
"It's a part of your DNA and we've gone on now to look at multiple technologies to make sure that in the worst case scenario that if people do get in that the data is unusable," Elefant said. "I agree that end-to-end encryption isn't end all be all."
Bob Russo, general manager of the PCI Security Standards Council said he was concerned about the use of the term "end-to-end encryption." Russo said many of the technologies being touted to better protect the payment process, including encryption and tokenization systems, are being studied by the council, which may offer guidance on the topics later this year.
"How long will it be when there are 50 vendors out there all saying they have true end-to-end encryption," Russo said. "At the council we need to look at these things and figure out what the components are and how they map to the standard."
In an interview with SearchSecurity.com, noted cryptographer Taher Elgamal, chief security officer of Axway Inc. dismissed the term, calling it meaningless. The only available encryption option 25 years ago was point-to-point at the link-layer below TCP, but today there are multiple points in a company network, he said. The number of "ends" are probably in the thousands, he said.
"There's a lot of pressure inside the credit card industry to apply encryption on transmitting credit cards so that we don't suffer from these exploits and that's a really good thing," Elgamal said. "I think we're over selling and over marketing certain things before we actually find the real solution."
In a credit card transaction there are seven or eight entities that process a transaction, Elgamal said.
"If the 'ends' are not the real 'ends' of the transaction, then you haven't actually gained a whole lot," he said.