New Report: End-to-End Encryption in Card Payments

A new report from Aite Group provides insight into where end-to-end encryption (E2EE) is going based on the perspectives of key decision-makers at core vendors of such solutions. Among other things, the report considers the revenue models being adopted by E2EE vendors and speculates on the long-term prospects for E2EE adoption, standardisation of tokenisation, and the likelihood of a shift to EMV chip card infrastructure in the US.

Aite Group concludes that the most appropriate technological route to address current card fraud threats in the US is E2EE, particularly given the entrenched nature of magnetic card infrastructure in the US. While E2EE does not prevent the use of counterfeit or lost and stolen cards, it prevents criminals from accessing the raw materials for card crime: the card data itself. It also appeals to merchants, helping remove them from the scope of Payments Card Industry Data Security Standards (PCI DSS). In fact, vendors perceive merchants to be as likely to purchase E2EE solutions to offload PCI DSS requirements as they are to secure card data.

“Merchant choices will be highly subjective based on transaction fees, hardware requirements, and, not insignificantly, the degree to which an offering removes the merchant from PCI scope,” said Nick Holland, senior analyst with Aite Group and author of the report. “While a focus on PCI scope reduction may be a fine way for E2EE vendors to gain merchant attention, it loses sight of the fundamental aspect of solutions – protecting consumer cardholder data. Vendors should be careful not to over-focus on this aspect of E2EE promotion; ultimately, the definition of what takes PCI out of scope is in the hands of the PCI Standards Council, and not in the hands of vendors.”

The providers of E2EE are generally point-of-sale (POS) hardware vendors, payments processors, or security vendors that partner with E2EE experts to offer solutions. Among the providers mentioned in the report are Element, First Data Corporation, Heartland, Hypercom, Ingenico, MagTek, RSA, Semtek, VeriFone, and Voltage Security.


Related reading