For the last time, there are no single ‘silver bullet’ solutions to perfectly securing cardholder data and their related transaction flows. As my blog shows, I get comments from all sorts of people saying otherwise. However, whether you are talking about Chip and PIN, end-to-end encryption, data encryption or tokenization, none of these technologies offer the complete solution to stopping credit card fraud.
Chip and PIN
Chip and PIN was developed to address the problem of face-to-face transaction fraud. It does not solve the problem of cardholder data being breached in back office systems where most breaches take place. The attackers know that somewhere in the transaction flow process, someone has to have the cardholder data. Chip and PIN does not address the back office and never will. It is not that Chip and PIN is a bad idea, it is the fact that implementing Chip and PIN does not, in and of itself, solve the issues faced with breaches.
End-to-end encryption requires that each end uses the same encryption process. So the first problem is that each acquiring bank or service provider will likely have their own particular implementation of end-to-end encryption meaning that interoperability will not exist. So those merchants with multiple processors will likely have problems with end-to-end encryption unless they use separate systems. However, that is minor compared to the next issue. The other problem is that there are a lot of ISOs and service providers in the transaction flow that require access to the transaction making end-to-end encryption not quite as easy as one might think. However, the biggest problem with end-to-end encryption is that it only protects the cardholder data from one endpoint to the other endpoint. It does nothing about protecting the endpoints themselves or the environment outside of the endpoints. As a result, the endpoints and the environments outside the endpoints become the targets. While the endpoint at the processor or acquiring bank is likely fairly well protected, the endpoint at the merchant is probably the weak link and therefore the merchant is still the target. The most likely target here is doctoring the card terminals or POS software so that the attacker can gain access to the cardholder data before it hits the encryption process. End-to-end encryption does nothing to prevent the tampering of the endpoints. As with Chip and PIN, end-to-end encryption only addresses a part of the problem.
Data encryption is great for protecting the data when it is stored as well as when it is in transit. However, unlike end-to-end encryption, under data encryption when data is in transit there are multiple points where the data is decrypted and encrypted as it moves through the authorization and payment processes. Any one of these points could be compromised and the data encryption defeated. Cardholder data that is stored encrypted still has the threat of being compromised either at the point it is encrypted or if the encryption key be compromised. If data is only encrypted during transmission or if it is only encrypted when stored, the data is susceptible to compromise wherever it is not protected. As with end-to-end encryption, data encryption can solve a portion of the problem, but not the entire problem.
Tokenization is the act of creating a value, the ‘token’, and using the token as a way to reference the actual cardholder data. Tokenization is great for merchants because it allows them to keep their old systems running unmodified by having the system believe it is getting back the PAN when in fact it is just a token. However, the cardholder data still has to be transmitted in order for a token to be generated, so the merchant is still not out of scope. Worse yet, if the transmission is not protected, then the data stream is susceptible to compromise. As with all of our other solutions, tokenization is also not a complete solution.
The bottom line is that none of these technologies individually is the answer to our security issues with cardholder data. However, if they are used together, they can provide a formidable defense against compromise. But why is that? As with all good security solutions, it involves defense in depth. Since there is no single, ‘silver bullet’ that can solve the problem, we have to look at multiple solutions that, when put together, create a defense in depth approach to provide as much security as possible.
By using Chip and PIN in conjunction with end-to-end encryption, data encryption and tokenization, we create a gauntlet of protection. However, as I always like to remind people, security is not perfect and even this solution is not a ‘silver bullet’. There are controls and monitoring required ensuring that endpoints remain secure, encryption keys are protected and that endpoints are not tampered with. However, such an approach would go a long way to minimizing the threat of compromises.