Fifth Third Processing Jumps on the End-to-End Encryption Bandwagon

The merchant-acquirer encryption and tokenization train picked up speed this week when Fifth Third Processing Solutions, one of the nation's biggest payment processors, announced it would offer its merchants end-to-end encryption and tokenization systems for protecting cardholder data. Cincinnati-based Fifth Third Processing's technology comes from Voltage Security Inc., the Palo Alto, Calif.-based firm that also is working with merchant acquirer Heartland Payment Systems Inc. and other financial companies. Heartland greatly raised the profile of end-to-end encryption last year when it decided to upgrade its security systems after sustaining the payment card industry's biggest data breach ever (Digital Transactions News, Jan. 26, 2009). A number of other merchant processors also have announced they're implementing end-to-end data encryption or related tokenization technology, including industry leader First Data Corp., which is working with EMC Corp.'s RSA security division (Digital Transactions News, Sept. 22, 2009). Fifth Third Processing serves 180,000 merchant locations, from large national retailers down to tens of thousands of local businesses that generate about $315 billion in annualized charge volume. The Voltage technology gives merchants choices for their security systems depending on the size and complexity of their operations, Bob Bartlett, chief information officer at Fifth Third Processing, tells Digital Transactions News. “It's a solution that can help us solve a lot of problems,” he says. Tokenization replaces all or part of a credit or debit card's 16-digit primary account number (PAN) with proxy numbers for safe storage, either at the merchant's data center or a third-party facility. End-to-end encryption, meanwhile, is a general term for a number of systems that encrypt card data during the transaction process. Used properly, the technologies can reduce the amount of data subject to the Payment Card Industry data-security standard, or PCI, which reduces merchants' risk and security expenses. Another reason Fifth Third went with Voltage was that its system could be brought online “in a way that minimizes operational disruption,” says Pat Moran, senior vice president of product and portfolio management. For example, the platform doesn't require Fifth Third to change the length of its data fields, which would require programming changes from terminals all the way through to merchants' store controllers and back-office systems, he notes. And Bartlett says Voltage's system for managing keys, the codes that govern encryption and decryption algorithms, can be implemented with relative ease. Whether a merchant would need a new point-of-sale terminal to implement end-to-end encryption would depend on the current terminal's age and if it can support external software, according to Bartlett. Fifth Third Processing doesn't have an exclusive deal with Voltage. “We will likely implement other vendors' solutions as needed, depending on merchant needs, our customers' needs,” says Moran. At a webinar Thursday sponsored by the merchant-acquiring trade group the Electronic Transactions Association, Bartlett, a speaker, noted that end-to-end encryption can present some problems for merchants. For example, if the encrypting system isn't working, merchants, especially small ones, need to decide if they will take a chance on fraud and approve transactions during the down time. “That is something that needs to be taken into account,” he said. He added that end-to-end encryption does add some time to the transaction process, but usually so little that customers won't notice. And for larger merchants with complex data operations, key management becomes increasingly important, according to Bartlett. Keys, for instance, cannot be exchanged between authorization providers, which could be an issue for large merchants that frequently use more than one authorization provider.