Beyond PCI

Is end-to-end encryption the next big thing in payment card security? That's hard to say, especially in the highly complex and constantly changing world of data protection. But if you look at two of the biggest security breaches to hit retailing in the past few years and the steps taken by the breached companies to prevent a reoccurrence of those break-ins you would have to say that end-to-end encryption

Is end-to-end encryption the “next big thing” in payment card security?

That's hard to say, especially in the highly complex and constantly changing world of data protection. But if you look at two of the biggest security breaches to hit retailing in the past few years — and the steps taken by the breached companies to prevent a reoccurrence of those break-ins — you would have to say that end-to-end encryption is on the retail horizon.

End-to-end encryption means that card data remains encrypted from the moment the card is swiped at the checkout to the moment it arrives at its final destination at the card brand or issuing bank for authorization and settlement. At no juncture is the data in a form useful to thieves.

Now consider Hannaford Bros. Scarborough, Maine, which suffered a data breach in late 2007 that exposed 4.2 million credit and debit cards. Hannaford determined that malicious software (“malware”) pilfered card numbers as the data was “in transit” from the card-swipe PIN pad across its private network.

Among the myriad ways Hannaford responded to the breach was to ensure that card data was encrypted, starting at the PIN pad in the checkout lane and continuing through the chain's network, thereby protecting the type of data that had been compromised in the breach.

Hannaford does not describe this as end-to-end encryption, acknowledged spokesman Michael Norton, “because that would imply that the data remains encrypted at all stages of the processing.” The chain has encrypted card data throughout its own network, but “for security reasons we're choosing not to be more specific about any points in the process where the status of that data changes.”

Enter Heartland Payment Systems, Princeton, N.J., a payment card processor that counts many food retailers among its customers. In January of this year, Heartland announced one of the largest data breaches ever reported. Cyber criminals using data-sniffing malware gained access to personal card data associated with the 100 million card transactions Heartland handles monthly.

In responding to its breach, Heartland went well beyond Hannaford's encryption effort by declaring that it would be committed to deploying a true end-to-end encryption system as quickly as possible — a move that could have broad implications for the retailing industry.

Robert Carr, Heartland's chairman and chief executive officer, saw the breach as an opportunity for the industry to move forward with adopting end-to-end encryption as an improved and safer standard of payments security. “Just as the Tylenol crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data — and therefore businesses and consumers — much more effectively.”

Heartland has drawn some favorable reviews for its end-to-end encryption plan. “If a company is breached, it can spend a lot of time apologizing, or it can go on the offensive. Heartland has chosen to go on the offensive,” said Dave Taylor, founder, PCI Knowledge Base, Highland Village, Texas. “It's the most intelligent response I have seen to a breach.”

End-to-end encryption is not the only technology that is attracting attention in payment and retailing circles. Another relatively new application, tokenization, is also generating interest. But neither of these applications is needed by retailers to be in compliance with the Payment Card Industry (PCI) Data Security Standard, which all card-processing retailers are expected to follow; for example, the standard does not require card data to be encrypted over a private network.

Thus, retailers such as Hannaford that adopt some form of end-to-end encryption have decided to go for a higher level of security than what is currently required by the PCI standard. Of course, in Hannaford's case, more aggressive measures were called for since being PCI compliant did not prevent it from being breached. Other steps taken by the chain include implementation of Triple DES PIN encryption at the POS, and installation of host and network intrusion prevention systems as well as the most up-to-date firewalls at stores and headquarters, said Norton.

Given the Hannaford, Heartland and other high-profile breaches, the Payment Card Industry (PCI) Security Standards Council, Wakefield, Mass., which oversees the PCI standard, has commissioned a study by PricewaterhouseCoopers, New York, to assess the potential of end-to-end encryption, tokenization, and “chip and PIN” systems to improve the security of payment card data and possibly be included in the PCI standard; the results of the study will be presented at a PCI meeting in September. Another fairly new tool, known as “whitelisting,” has already gained some acceptance by the council.

In a public letter to the PCI Council in June, the National Retail Federation, Washington, and other trade groups urged the organization to, among other things, adopt a new standard that may include end-to-end encryption. Taylor said he expects that by the fall of 2010, when the next version of the PCI standard will be announced, “both end-to-end encryption and tokenization will find their way into the standard.”

In the meantime, retailers are using available technologies to meet the PCI requirements and secure their systems, including firewall solutions, tamper-resistant terminals, physically secured store servers and network segmentation (see story, Page 24).

FIRST STEP

On June 30, Heartland announced that it had successfully completed the first phase in the pilot of an end-to-end encryption system called E3. This involved the transmission of live AES (Advanced Encryption Standard)-encrypted credit card transactions from a Texas merchant to Heartland's processing platform, one of the first such transmissions of its kind. Card data typically makes this trip from the store to the processor in an unencrypted form, or “in the clear,” which left it vulnerable in the Hannaford and Heartland breaches.

In other encryption efforts, retailers have encrypted data from the cash register to a company gateway, “but that's not really end-to-end encryption,” said Steven Elefant, Heartland's executive director of end-to-end encryption. “We define E3 as encryption from the moment a card is swiped into a payment terminal until it reaches the card brand. That's the only way to get true security, because the bad guys are always looking for weak links at the edges.”

To achieve its goal, Heartland has developed and installed a tamper-resistant security module (TRSM) terminal at the checkout lanes of test stores in place of standard card-swipe transaction terminals, which encrypt only PINs. The TRSM encrypts PINs as well as the full track data contained in the magnetic stripe, including personal account numbers (PANs). The clear-text data is never exposed as it is transmitted through Heartland's processing platform for authorization and settlement.

Retailers who participate in the E3 system would need to invest in a TSRM device, which costs about the same as a traditional terminal, but they will not be charged additional transaction processing fees. (Retailers need to use payment terminals in compliance with the PCI PED standard by 2010, which could be a reason for investing in a TRSM.) Heartland is “looking into the possibility” of retrofitting existing terminals for large chains such as supermarkets rather than replacing them, said Elefant. In addition, Heartland plans to indemnify retail participants properly using E3 hardware and software for any fines or fees should their data be compromised.

The E3 system is designed to protect data as it moves through five payment zones: from the data entry/card read at the merchant to the authorization network of the processor; from the entry to the authorization network of the processor through all points in which data is in motion within the networks of the processor and its subcontractors; while the data resides in a central processing unit or a host security module (HSM); while it is in a direct-access storage device or archival storage; and from the processor to the authorization and settlement centers of the card brand or issuing bank.

Elefant said Heartland has devised a way to improve the management of the “keys” that decrypt data in the HSMs, which receive the encrypted data at the Heartland processing network. Key management is sometimes considered a sticking point in the adoption of end-to-end encryption schemes.

The initial test with the Texas merchant covered the first four payment zones, which Heartland believes “will significantly impact the protection of cardholder data,” said Elefant. The fifth zone is contingent on cooperation from the card brands (Visa, MasterCard, Discover, American Express and JCB). “We are in active discussions with several of the brands, and our conversations have been very positive.”

By the end of July, Heartland was pursuing encryption pilots with 10 retailers of varying kinds, with plans to include a food retailer in the mix, Elefant told SN, adding that the company expects to launch E3 commercially late this year.

In the meantime, Heartland is working on several parallel efforts, including providing input into the development of an end-to-end encryption standard as a member of the ANSI ASC X9 F6 working group. The company is also working on the implementation in the E3 system of TSRM devices made by other vendors. Heartland is also sharing its experience with end-to-end encryption with two new technical groups, the Payment Processors Information Sharing Council (PPISC) and the Secure POS Vendor Alliance. At the first meeting of the PPISC in early May, Carr shared the source code of the malicious software that compromised Heartland's network with attendees.

Though E3 is a proprietary solution, Heartland supports the development of an end-to-end encryption standard that other processors could use to develop their own solution, said Elefant. “Some retailers would like their processors to step up and [offer end-to-end encryption],” said Taylor. “But they would be reluctant to change processors just to get it.”

One of the advantages of Heartland's end-to-end encryption for retailers is that transaction data such as PANs and dollar amounts — but not personal information like social security numbers — would be stored in encrypted form by the processor, reducing their responsibility and the costs associated with PCI compliance. “Retailers want their systems to be out of scope [of PCI compliance],” said Taylor of PCI Knowledge Base. “The goal is to have no card data in their systems so they won't be assessed by PCI.” Internal encryption by a retailer does not accomplish this, but outsourcing the card data storage does, he noted.

Whether they store card data or outsource it, retailers are required by the card companies to produce a card receipt when purchases are disputed. Dave Hogan, chief information officer of the National Retail Federation, is a strong proponent of the view that purchase disputes should be resolved by the issuing and acquiring banks, without asking retailers for sensitive data.

Another end-to-end encryption system, VeriShield Protect, is being marketed by VeriFone, San Jose, Calif., to retailers and processors. VeriShield Protect shields credit and debit information from the card swipe until the data is received at a secure decryption device located at the retailer, service provider or processor/acquirer location. Like E3, VeriFone's system includes a TRSM at the checkout lane and an HSM at the endpoint of a transmission.

Jeff Wakefield, VeriFone's vice president of marketing, said that a few retailers, which he would not name, have adopted the VeriShield Protect system within their enterprises, but have not extended it to a processor or acquirer bank. “One retailer hopes to move it to an acquirer when the acquirer is ready, he said. Elefant acknowledged that Heartland is talking to VeriFone about accepting encrypted transactions via VeriFone's system.

SURROGATE DATA

While end-to-end encryption addresses the vulnerability of card data in transit, tokenization deals with card and other sensitive data that is kept by the retailer. The strategy involves using a tokenized version of the data — in effect, surrogate data — in various applications such as loyalty analysis or loss prevention, leaving the actual data encrypted in one central location, the only place that would be in the scope of PCI compliance. Since tokenized data has no value to an outsider, it is not governed by PCI rules, a considerable cost savings to the retailer.

“It's like Disney money — worthwhile in Disneyland but useless elsewhere,” said Gary Palgon, vice president of product management for nuBridges, Atlanta. In April, nuBridges launched a tokenization system called Protect Token Manager, with licensing fees starting at $50,000.

With tokenization, a retailer could take encrypted data that had been in 40 systems and put it in one or two systems, noted Taylor of PCI Knowledge Base. “Encryption is expensive and key management is very complex and not a lot of people do it well. So the fewer systems that have encrypted data, the better off you are.”

Though relatively new, tokenization “is very attractive to the merchants I've talked to,” said Taylor. In fact, he added, leading retailers are looking at both tokenization and end-to-end encryption, “with some waiting for an integrated solution to emerge.”

Over the past two years, another technology that has been used to safeguard POS systems is whitelisting. Unlike “blacklisting” anti-virus programs that block specific unwanted software from entering a system, whitelisting defines a list of approved software and storage devices, and keeps out everything else. “Whitelisting is more proactive and secure than blacklisting,” said Tom Murphy, chief strategist for Bit9, Waltham, Mass., which markets a whitelisting system called Bit9 Parity. For the POS, it costs $30 per lane.

Whitelisting also works better on older systems than anti-virus applications that consume a lot of capacity, said Murphy. The PCI standard still requires that retailers use anti-virus protection, though whitelisting can be used as a control as well, and Bit9 is lobbying the PCI Council to regard whitelisting as a substitute for anti-virus programs, said Murphy.

Retailers using Bit9's whitelisting system at the POS include 7-Eleven and Stop & Shop. Jungle Jim's International Market is using Bit9 on its desktop systems.