Price Tag for End-to-End Encryption: $4.8 Billion, Mercator Says

Demand is booming for better payment card security as a result of the many data breaches of recent years, and the solution being touted more than any other is “end-to-end encryption.” But a new report from Mercator Advisory Group Inc. asserts that the term is imprecise and implementing the technology will take incentives, collaboration, and a lot of salesmanship. Meanwhile, the final tab for the solution is no small matter. A point-of-sale terminal with end-to-end encryption starts at $500 for a mom-and-pop merchant and goes up for multi-lane retailers, the report notes. Author George Peabody, director of the emerging technologies advisory service at Maynard, Mass.-based Mercator, estimates the total cost to upgrade all U.S. terminals at $4.8 billion. While the card industry's techies have discussed end-to-end encryption of track data on credit and debit cards' magnetic stripes for years, the term came to the forefront this year in the wake of the big data breach at merchant acquirer Heartland Payment Systems Inc. In an effort to restore its reputation and enhance its own as well as the entire card industry's security, Heartland announced a major commitment to end-to-end encryption (Digital Transactions News, Jan. 26). That effort is now well along, Mercator notes in its report, “End to End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance”. In addition to hiring a new senior security executive and pushing the industry for more sharing of data-breach information, Heartland has even commissioned a third-party manufacturer to build point-of-sale terminals that meet its new requirements. Many other industry players, including specialty-software providers and the major POS terminal vendors, also are working their own variants of end-to-end encryption. End-to-end encryption typically refers to the scrambling of the primary account number (PAN) and track data as soon as the card is swiped and decrypting the data when they are safely at an endpoint and supposedly out of reach of hackers. “End-to end encryption is kind of a misnomer; you've got to define your endpoints,” Peabody tells Digital Transactions News. For example, if the endpoint is at a gateway operator that then hands off “clear-text” data to an upstream acquirer over a point-to-point telecommunications link, the merchant's security may be improved but not necessarily the gateway's or the upstream processor's, according to the report. “Given the range of technical approaches and the operational context of the customer?risk tolerance, brand protection, technical priorities, and financial condition?each organization deploying [end-to-end encryption] will have to locate those 'ends' for itself,” the report says. Apart from the considerable technology issues, advocates will face big hurdles in persuading merchants to adopt end-to-end encryption, according to Peabody. Large Level 1 retailers, so-called because of their high payment card transaction volume, have the technological and financial resources to invest in better security technology as well as national reputations to protect, and thus might be easier sells than small merchants. Large merchants also are especially keen on lowering their costs and time devoted to the Payment Card Industry data-security standard, or PCI, the controversial common set of rules for securing transactions on the major card networks. Small, so-called Level 4, merchants, meanwhile, are the source of most data breaches but often have little awareness of card-related security problems and balk at spending money to fix them. One way to spur the technology: interchange incentives for merchants. In the past two decades, Visa Inc. and MasterCard Inc. have offered price breaks to encourage merchants to use electronic terminals and to bring entire check- and cash-oriented merchant segments, including grocery stores and recurring billers, into the card-acceptor tent. “There's no evidence that that's in the offing, but there's precedence for it,” says Peabody. Besides possible financial incentives, better cyber-security “takes aggressive collaboration,” according to the report. Losses might have been mitigated had an entity such as The Financial Services Information Sharing and Analysis Center's new Payments Processing Information Sharing Council been in place before the breach at Heartland and another at RBS WorldPay Inc., which came to light around the same time, the report says. Another benefit of collaboration: less pressure for government-mandated solutions. Mercator also says the industry needs to agree on encryption standards. But “a standardized approach is unlikely to emerge soon” because of “too many competing agendas,” the report says.