Secure Payments, PCI DSS, Regulatory Compliance Blog

Visa leads the way! End to End Encryption

June 8th, 2009 by cmark Posted in PCI DSS

Recently, I wrote a pretty critical blog post about the ongoing debate within the industry related to end to end encryption. Today I received an article in which Gartner’s Avivah Litan wrote a great summary of the Visa Global Security Summit where Visa acknowledged that there are benefits for merchants using end to end encryption technologies.  Visa is once again leading the industry on security issues by being the first card brand to really consider such technologies and again taking a stand on controversial topics. For those old timers in the industry, it is hard to dispute Visa’ huge contribution to 3D Secure, PCI DSS, PA DSS, and other initiatives.  

This is a watershed moment within the industry.  For years I (and a number of others) have been pushing Tokenization technologies, end to end encryption, advanced authentication and other technologies that render data virtually useless.  These are the technologies that will truly make a difference in the industry. Lets hope it continues to move forward.  

Thanks to Avivah for putting this out and Kudos to Visa!

If you didn’t read the previous blog post, here is an updated list of companies that are offering such solutions..

    * Heartland Payment Systems (end to end)

    * TrustCommerce (end to end w/vault)

    * ProPay (end to end w/vault)

    * Shift4 (Tokenization w/vault)

    * MerchantLink (Tokenization w/vault)

    * EPX (Tokenization w/vault)

    * PPI (end to end w/vault)

    * BrainTree (end to end w/vault)

    * Network Merchants (tokenization I think)

    * MagTek (encrypted MagStripe Reader supports End to End)

    * Semtek (encrypted MSR supports End to End)

    * HomeATM (encrypted Pin Entry Device; PED2.0 Approved)

    * VeriFone (end to end; for IPOS)

    * CyberSource (end to end; w/vault)

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 6 Responses to “Visa leads the way! End to End Encryption”

  2. By Sebastian Kübeck on Jun 9, 2009

    The link to the summary is broken.
    I share your opinion about tokenization technologies and end to end encryption. However, if VISA had pushed those technologies earlier, lots of merchants would have had way less trouble to comply with PCI DSS and to implement a high level of security.

  3. By lance on Jun 9, 2009

    i’m also in agreement that tokenization and end to end encryption are great methods to help reduce card fraud and pci burden on merchants.

    what i don’t understand is why this is the merchant’s problem to begin with? where is end to end encryption or tokenization at the card brand level? why have the brands not come up with a way to either secure the data on the card or make it useless for an attacker to capture?

  4. By Michael Andersen on Jun 11, 2009

    Hi

    PBS A/S have been using END-TO-END (TDES) encryption for all POS merchants since 2001. In my world, from a PCI DSS perspective, this is “almost” the only way for a merchant to handle PCI DSS compliance. If a merchant is using END-TO-END encryption and have PA-DSS certified terminals etc, and never get CHD, they have minimized the PCI DSS scope alot. The sad thing is that even encrypted CHD send on a corporate network or mpls is “in-scope” for PCI DSS. Shouldnt be that way.

  5. By Ralph on Jun 12, 2009

    Braintree is an MSP that uses the Network Merchants gateway. Any other MSP that uses the NMI gateway (Premier Payment Systems, Durango Merchants and many others) will have the same capabilities. Braintree just does a better job of marketing the PCI compliance advantages of the NMI gateway. NMI allows some great capabilities to allow a merchant to eliminate storing, processing or transmitting cardholder data.

    1. They support the Magtek Magnesafe card readers to encrypt the track data in the card swipe device with it decryptable only by the NMI gateway.
    2. They allow a merchant to serve a payment page on their web site that posts to the NMI gateway to provide seamless integration with their web site and eliminating the CHD from passing through the merchants server.
    3. They allow a merchant to submit a transaction using the CHD from a prior transaction by referencing the prior transaction number so that the merchant doesn’t need the CHD to add items to an order, upgrade shipping on an order, etc.
    4. They have a vault solution where CHD can be securely stored and used via a vault ID (token).

    By using items 1-3 above I am just about ready to implement a solution for my store and web site that will keep nearly all CHD out of our systems using the NMI gateway. The only CHD I haven’t been able to keep out is phone order card numbers that get keyed into our order management system and card numbers keyed at POS. These are transmit only and not stored. It sure would be nice if Magtek added keypads to the Magnesafe card swipe devices to expand its capabilities to keyed PAN’s.

    I have looked into every gateway that I can find and have found no others that match the capabilities of the NMI gateway except possible Shift4. But Shift4 requires vendors to do the integration and I have been unable to get my vendors to support them. WIth NMI I have been able to do the integration in house.

  6. By Terry on Jun 15, 2009

    I know companies like Merchant Warehouse that have a gateways that use the Magtek encrypted card readers are as close to end-to-end encryption as you can be at this point in time.

    You would think Visa/MC would be all over the end-to-end encryption considering how much money they would save preventing fraud. I know it’s a huge monetary hit upfront but in due time it will more than pay off.

  7. By ibuxton on Jun 19, 2009

    Any opinions on AJBs “tokenization” solutions? Has anyone used it, heard about it, etc.?

Sorry, comments for this entry are closed at this time.