Monday, September 14, 2009

Smart Card Alliance Decries End to End Encryption





Smart Card Alliance Pushes Contactless Smart Cards over E2EE



According to Randy Vanderhoof, the executive director of the Smart Card Alliance, the US payments industry should use contactless chip cards along with dynamic cryptograms vs. E2EE in the fight against the bad guys...



I agree that the term "End-to-End Encryption" is buzz word and is used too "loosely" by too many players in the industry. 



True End-to-End Encryption means, first and foremost, that the card holder data must be "instantaneously" encrypted once the card is swiped.  The encrypted packet must stay that way (encrypted) until it reaches it's final destination.  There is only one transaction that can be fully end-to-end encrypted (*Zones 1-5)  and that is a PIN based transaction.  At best, other transactions can be End to (Almost) End Encrypted through *Zones 1-4. 



HomeATM's PCI 2.x certified PIN Entry Pad instantaneously encrypts the card holder data (including the Track2 data)  Credit and Debit card details remain encrypted via the HomeATM processing methodology through Zones 1-4.  A HomeATM processed PIN based transaction is 100% End to End Encrypted through Zones 1-5.



*See chart below for a Zone 1 through Zone 5 illustration provided by Mercator 



From SCA's new paper:

End-to-End Encryption and Chip Cards in the U.S. Payments Industry

Publication Date: September 2009



Recent and highly publicized data breaches at merchants and processors involving payment cardholder data have had a significant impact on the payments industry. For example, Wired magazine reported that Heartland Payment Systems estimates that the breach it experienced in 2008 has conservatively cost the company in excess of $12 million.[1] According to Bank Info Security magazine, the breach impacted at least 659 banks and credit unions.[2]



Analysis of the attacks has led to a flurry of interest in the implementation of end-to-end encryption solutions to protect cardholder data. Electronic payments industry stakeholders are taking action to address data security problems through the Accredited Standards Committee X9 (ASC X9) by embarking on the development of a new standard to protect cardholder data with end-to-end encryption.[3] This paper presents the Smart Card Alliance perspectives on this initiative.



Encryption of data would make it much harder for attackers to benefit from the kind of network break-in that Heartland suffered. Since sensitive data was not sufficiently protected, cyber-thieves were capable of stealing millions of debit and credit card details for several months after initially infiltrating the Heartland computer systems.[4]



Supporters of end-to-end encryption envision that cardholder data would be encrypted from the moment the magnetic stripe of the payment card is swiped through the end of the payment processing cycle. The devil is in the details, however. End-to-end encryption does not necessarily mean the same thing to all people, and the payments industry has not yet defined standards.



Editor's Note:  Very well put.  Click the Zone 1-5 chart on the right to enlarge:



This position paper attempts to clarify and define end-to-end encryption, and detail the problems it solves and those it does not. It also explores the advantages of an alternative strategy for protecting cardholder data–moving data protection to the true endpoint, the payment card itself, using chip card technology.



Instead of implementing “chip and PIN” and following the full EMV standard, this paper proposes a new course optimized for the U.S. market: using contactless chip cards, including a dynamic cryptogram with each transaction and authorizing transactions online.



The existing U.S. payments infrastructure can process such transactions today in the same way that current contactless payment transactions are accepted.



Compared to end-to-end encryption, contactless cards with dynamic cryptograms would have the following advantages:

  • Result in less impact on the payments acceptance infrastructure for merchants, acquirers and issuers

  • Enable merchants to implement a solution more quickly and without waiting for new standards

  • Provide a high level of cardholder data protection by including a dynamic cryptogram with each transaction

  • Reduce the threats posed by cloning magnetic stripe-based cards and stealing cardholder data

The Smart Card Alliance is making another important recommendation as well. If the industry does indeed move forward with end-to-end encryption, the standard should be defined in a way that lays the messaging foundation for globally-interoperable secure payment transactions using chip card technology in the future. This would have no impact on end-to-end encryption cost or complexity, and yet would make the U.S. payments messaging standard compatible with global payments infrastructure requirements.

What Is End-To-End Encryption?

The Computer Desktop Encyclopedia defines end-to-end encryption as the continuous protection of the confidentiality and integrity of transmitted information by encrypting it at the origin and decrypting at its destination.[5]





A reasonably good example of true end-to-end encryption is the distribution of a secret key under a Key Exchange Key (KEK) process between two hardware security modules (HSMs). The KEK process is a common practice in many industries including government, telecommunications and banking, in applications where end-to-end security must be ensured. Using this technique, the secret key is never seen in the clear outside of the two endpoints. The first HSM (the origin) encrypts the secret key using the Key Exchange Key then the encrypted key can be securely sent to the second HSM (the destination) where it is decrypted.

With respect to a payment transaction, “origin” and “destination” are not single places, causing the potential for confusion. There are many temporary endpoints in a transaction lifecycle where all or part of the transaction information is required. In addition, there are several processes, starting with authorization and settlement; but data may be used or stored for refunds, chargebacks or reporting purposes in other places as well. The figure above  illustrates a generic credit card transaction process today.




"Implementing end-to-end encryption is not a panacea; in fact, it may be more akin to putting a steel door on a grass hut," says Randy Vanderhoof, executive director, Smart Card Alliance.


Download the paper to read more...or click here to read the summary at the Smart Card Alliance website



Reblog this post [with Zemanta]

Disqus for ePayment News