Secure online payment system requires end-to-end encryption

The online payment ecosystem is a prime target for cybercriminals. Security 7 Award winner, Steven Elefant, formerly of Heartland Payment Systems, explains why end-to-end encryption is needed to maintain the integrity of transactions carried out online.

The old saying is true: Money really does make the world go ‘round. What many people don’t realize is what it takes to make the money go ‘round, so to speak.

Steve Elefant

When it comes to credit and debit card payments, several entities are required to process a transaction from start to finish: consumers and their payment cards, merchants and their point-of-sale (POS) payment systems, the card brands (i.e. Visa, MasterCard, Discover Network, American Express), issuing banks, and card processors  like Heartland Payment Systems, the nation’s fifth largest payments processor. Enormous amounts of electronic data and digital currency flow through this payment ecosystem as billions of transactions are processed each year.

With access to the sensitive information that enables the exchange of billions of dollars in transactions each year, the payments infrastructure is a red-hot target for hackers. I have been entrenched in the electronic commerce industry for more than 30 years and never before have we been at a more critical juncture in our fight against cybercrime than now. It’s us good guys against the bad guys, and we are determined to win.

Forget the 14-year-old hacker kids. We are dealing with high-tech felons -- the bank robbers of the 21st century. They are organized in criminal gangs, both in the U.S. and overseas, that are very sophisticated, well funded, and, in many cases, have nation-state protection.

It’s no secret the payments ecosystem is vulnerable. Much like the Internet, the payments infrastructure was developed for connectivity, not for security. Now, in the face of serious threats and too many successful instances of hackers exploiting the vulnerabilities of the system, the industry is playing catch up to safeguard it.

About Steve Elefant


COMPANY: Heartland Payment Systems


  • Led IT strategy, product and business development for Heartland, which processes approximately 4.2 billion credit/debit card transactions annually.
  • Pioneered patent-pending E3 end-to-end encryption, which has been adopted by more than 13,000 merchants.
  • Handled breach of Heartland’s payments processing in 2009, which led to development of E3.
  • Active in the formation of the Payments Processor Information Sharing Council, which facilitate industry collaboration against cybercrime.
  • Member of the U.S. Secret Service Electronic Crimes Task Force.

Typically, when a consumer swipes his or her credit or debit card at a merchant location to make a purchase, cardholder data is in the clear as it leaves a merchant's terminal and is not protected until it is either tokenized in a gateway, or encrypted at rest in the processing platform's data warehouse. This is a fundamentally flawed security model that puts cardholder data at risk of being compromised should it get in the hands of cybercriminals who use methods like network or memory sniffer malware and RAM scrapers. This puts the entire payments ecosystem in jeopardy. In the case of a successful data breach, merchants face the devastating financial and reputational repercussions of the compromise, and consumers may be forced to deal with the ramifications of credit card fraud, to name a few effects. For a secure online payment system, the transaction flow must be secured with end-to-end encryption.

In today’s day and age, there is no such thing as safe software. There never will be again. Software-based encryption is nice to have and better than no encryption at all, but has varying degrees of effectiveness. AES (Advanced Encryption Standard) is the most secure encryption available today. In fact, it is mandated by the U.S. government to protect its top-secret information. You also must consider that encrypting data after it has passed through a merchant system in the clear is quite different than encrypting data the moment a card is swiped to make a purchase. Data needs to be protected at all points, end-to-end, from the moment the transaction is initiated and through the processing network to truly be effective.

This is where hardware enters the equation. By using a hardware-protected tamper-resistant security module (TRSM), data is protected at the moment of swipe, before it enters the merchant system, beefing up security during a critical leg of the transaction lifecycle. It is this intersection of strong end-to-end encryption security software, tamper-resistant hardware and tokenization, which replaces cards’ 16-digit payment account numbers with token values, that provides merchants optimal protection. By adequately protecting and removing the data that the criminals are after, we are essentially removing merchants from the hackers’ cross hairs.

While technology solutions are paramount to safeguarding the payments ecosystem, industry collaboration is also an integral component in our collective fight against cybercrime. The stakes are high all around and no one can afford for threat intelligence to be a competitive differentiator. Groups like the Payments Processing Information Sharing Council (PPISC), which Heartland helped establish, have brought the industry closer in this regard, providing processors critical information and insight into cybercriminal activity. Us “good guys” need to work together so we can protect our organizations, our merchant customers, and ultimately, everyday consumers.

The Security 7 Awards recognize the efforts, achievements and contributions of practitioners in the financial services/banking, telecommunications, manufacturing, retail, government/public sector/non-profit, education and health care/pharmaceutical industries. Click here to learn more about the Security 7 Awards and to see a list of all the winners.

Dig Deeper on Security industry market trends, predictions and forecasts