End to End Encryption and Tokenization
E2EE and Tokenization are often positioned as an either/or solution, but this is not the case. Each technology has its place in payment security. This article defines both solutions and their significant characteristics.
E2EE ensures the security of sensitive cardholder information from the moment the card is swiped all the way to when it is processed by a gateway or processor and passed on to a bank for authorization.
This technology ensures that at the point of card acceptance, i.e. within the Magnetic Stripe Reader (MSR) itself, the card data is securely encrypted at the Point of Sale (POS). MSR’s use Triple DES Encryption and DUKPT key management technology to encrypt and transmit cardholder data securely over the network. Once within a Secure PCI DSS certified payment network, it is de-crypted and passed for authorization.
Historically, encryption has been the standard for securing data and is used in virtually every transaction for many different reasons. In using E2EE for credit card data security, Primary Account Number (PAN) data is converted into a complex algorithm which cannot be easily understood. A decryption key is required to translate the data back into a readable format. E2EE addresses a major insider threat. For many companies encryption is not centrally managed. It is a feature that is easily added to applications, built into operating systems, databases, POS devices and so on.
The Payment Card Industry Security Standards Council (PCI SSC) has mandated E2EE technology for processors, software providers and merchants. An example of true end-to-end encryption is the distribution of a secret key under a Key Exchange Key (KEK) process between two hardware security modules (HSMs). The KEK process is a common practice in many other industries including government, telecommunications and banking, in applications where end-to-end security must be ensured. Using this technique, the secret key is never seen in the clear outside of the two endpoints. The first HSM (the origin) encrypts the secret key using the Key Exchange Key then the encrypted key can be securely sent to the second HSM (the destination) where it is decrypted.
However, there are drawbacks to this technology:
- Anyone who obtains the decryption key can easily access the sensitive and valuable credit card data.
- Hackers who obtain a series of encrypted data that was generated using the same algorithm can mathematically reverse it to de-code the data.
- Using E2EE, card data may have to pass through multiple systems internally on the way to the acquiring bank or processor. The result is the dreaded “encrypt, decrypt, re-encrypt” scenario, which opens up holes to unauthorized insiders.
One important question is: Will end-to-end encryption eliminate the chance that stolen cardholder data can be used successfully for fraudulent transactions? The answer, unfortunately, is no. There is an old saying in the security industry that you cannot secure a grass hut with a steel door. In other words, if you harden the merchant and processor systems with end-to-end encryption, criminals may simply skim magnetic stripe data elsewhere. Imagine hordes of credit card magnetic stripe skimmers in the hands of restaurant employees. Or criminals using false fronts on ATMs in the U.K. to capture magnetic stripe and (Personal Identification Number)PINs, and then sending cloned magnetic stripe data to the U.S. for fraudulent attacks.
Tokenization replaces sensitive card data information with unique id symbols that keep all the essential data without compromising its security. This approach has become popular as a way to increase security of credit card and e-commerce transactions while minimizing the cost and complexity of PCI DSS regulations and standards. Tokenization involves the replacement of the (PAN) and other data by a surrogate number or “token” and then centralizing (or outsourcing) the card data.
There is never a need to decrypt it or to call the real PAN back into the environment as the tokens can be used repeatedly, so hackers have nothing of value to steal.
Drawbacks to using tokenization exclusively:
- Tokenization does require the use of encryption for transmission of credit card data from the customer to the token vendor.
- There is no industry standard established for tokenization, although the PCI DSS Security Council has created a special interest group to construct a set of best practices for the technology.
Using Both Tokenization & E2EE
In the early stages of this new technology, large pin pad manufacturers such as (EQUINOX, Ingenico, and VeriFone) partnered with companies which handle E2EE & tokenization or have developed their own solutions. These companies such as TransArmor® (First Data), Element, Voltage, EPX and others have since developed hardware and processor agnostic functionality and interface with most credit card processing companies as long as the credit card data is encrypted at the MSR. VeriFone was one of the first to develop their own, VeriSheild®, which has had success since its inception in 2008.
E2EE and Tokenization and are often positioned as an either/or solution, but this is not the case. Encryption has many uses and will likely never be completely obsolete and tokenization solutions will incorporate some sort of encryption into its process. E2EE and tokenization will best exist together offering the best data protection. Suggesting that one can take the place of the other does not take into account the reality of the large, multi-channel merchants, gateways or service providers.
Conclusion – While each technology has its place in payment security, tokenization is emerging as the primary solution for organizations seeking to mitigate the potential impact of a security breach as well as reduce their overall PCI DSS scope and related costs.
For further information on using E2EE & Tokenization contact POSDATA, Inc. at firstname.lastname@example.org