End-to-End Encryption: The PCI Security Holy Grail

By Ben Rothke and David Mundhenk, CSO |  Security, encryption, pci

In a perfect world, the card networks, issuers and payment processors would implement end-to-end encryption for anyone who uses their services and would make it a requirement for connectivity; no encryption would equal no connectivity. This would consequently create a strong level of security and not require each merchant to deal with the significant burden and problems of key management (see later section in this article about that).

In a Gartner article on the topic, they note that Spain has more than 80 acquiring banks, all of which are grouped under one of three domestic payment schemes that operate in the country, each with its own processing company that provides issuing and acquiring processing services.

One of the payment networks, ServiRed, together with its processing company, Sermepa, now serves more than 100 member banks with 40 million cards in issuance. ServiRed and its peers are participating in a systemic, countrywide solution that supports end-to-end encryption of payment card data from merchant payment terminals to the acquiring processor, where the card data is decrypted. Bank identification numbers (the first four digits of the card number) are left in the clear for routing purposes, while data is encrypted in merchants' terminal card readers. Encryption keys are stored and managed by merchant acquirers so that merchants don't need to bother with them. Their collective success story ultimately proves that E2EE processing is not only possible, but may represent an acceptable trend and model for future implementations.

Gartner notes that merchants in Spain are being asked to migrate their terminals to accept Europay, MasterCard and Visa chip cards, while simultaneously being asked to comply with PCI. The Spanish acquirers introduced end-to-end encryption to simplify all the security activities required by their merchant customers.

While Spain's payment network pales in comparison to the size and complexity of US networks, it has demonstrated that end-to-end encryption is indeed possible on a payment network. Given the hundreds of millions of records that have been breached to date, combined with the fact that there is no reason to think the number of data breaches will decrease, the need for end-to-end encryption is evident. US payment networks should consider end-to-end encryption as a long-term solution, with its official unveiling starting in the short-term.

Why isn't encryption ubiquitous?

Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question