Even Vendors See a Far-off Horizon for End-to-End Encryption

End-to-end encryption of payment card data is all the rage among vendors to the merchant-acquiring industry, but vendors themselves believe it will take a long time for merchants to begin using their new technology. Asked how long they believe it will take for the majority of U.S. card-accepting merchants to adopt end-to-end encryption (E2EE), seven of nine leading vendors surveyed by Aite Group LLC said it’s likely or very likely it will take up to five years.

The thinking of the vendors, which of course have a direct interest in speedy and widespread adoption, varies widely, however. While five years was the most common answer, five companies said it was likely or highly likely that adoption of E2EE by a majority of merchants would occur in just three years. Six of the nine believe E2EE will have widespread adoption in seven years, and none believe the majority of merchants won’t ever use the system.

The stakes are high for the vendors because E2EE, due to its cost, the amount of fraud it would reduce, its relative ease of implementation and return on investment, has emerged as the likely winner in a race of technologies to better protect cardholder data in the wake of a series of massive merchant and processor data breaches. In an earlier report, Aite estimated that a nationwide E2EE rollout would cost $4 billion and take two years, but it would eliminate $2.5 billion in fraud annually (Digital Transactions News, Jan. 13).

Merchants are buying into E2EE not just because they want to reduce fraud. They also want to reduce their burdens of complying with the Payment Card Industry data-security standard, or PCI, which many regard as a costly annoyance. Asked about the reasons merchants are buying E2EE systems, eight of the nine vendors said securing card data was a high or very high merchant priority. An equal number, however, also said “offloading some PCI DSS requirements” was a high or very high priority. Seven vendors said it’s likely or very likely they’ll promote E2EE as a way to offload PCI compliance.

“That’s the big pitch,” Aite senior analyst Nick Holland, author of both reports, tells Digital Transactions News. “They see it on par.”

While feelings about what end-to-end encryption should accomplish are strong, how the vendors’ systems work and their revenue models vary considerably. Some, such as point-of-sale terminal makers Hypercom Corp. and Ingenico S.A., will get a very large share of their revenues through hardware sales, as will merchant acquirer Heartland Payment Systems Inc. with its new E3 terminals. Others also will get revenues through hardware sales, but mainly through recurring transaction fees or other fees for software licensing, key injections, or upgraded services. The other vendors Aite surveyed were POS terminal maker VeriFone Holdings Inc.; leading processor First Data Corp.; Element Payment Services Inc., an independent sales organization; security technology provider Semtek Innovative Technologies Corp., encryption software maker Voltage Security Inc., and POS hardware and software provider MagTek Inc.

Aite’s report does not endorse any of the vendors’ systems. All of them except First Data’s use varying combinations of hardware and software. “There’s a lot of variety,” Holland says. “It’s going to be interesting how things shake out.” Holland notes that First Data’s is probably the “most different” of the variations offered because it’s entirely software-based. All that First Data, which is using technology from EMC Corp.’s RSA division, requires is that the merchant have a PCI-compliant terminal. That strategy, according to Holland, clearly is meant to make E2EE attractive to the millions of merchant locations on First Data’s processing systems.

Most vendors naturally are approaching high-volume, so-called Level 1 and Level 2, merchants for E2EE, the proverbial low-hanging fruit, before approaching the more numerous but typically less technologically sophisticated, smaller Level 4 merchants. The report quotes one vendor executive as saying, “At this time, a Level 4 vendor [merchant] is unlikely to know the difference between a firewall and a fire extinguisher. E2EE is not something that they understand. Yet.”

Yet even before they conquer card-accepting merchants, the E2EE vendors are pursuing broader markets for their new systems. All vendors said they viewed government as a likely or highly likely source of sales opportunity. Six of the nine said it was likely or highly they would pursue opportunities with potential insurance-company clients, and five spoke similarly about the health-care sector. They plan to pitch E2EE as a way for such customers to protect sensitive consumer, governmental, medical, and financial data beyond payment card numbers, Holland says.