Hopefully by this point I have pointed out that encryption, end-to-end or otherwise, is not a silver bullet. It is just another tool to minimize the risk of data loss. But why has it become the topic du jour? That is what I hope to examine in this post.
There is the issue of end-to-end encryption even being feasible. As I pointed out in my last post, while it is feasible, it may not be as secure as Mr. Carr and others desire. In some cases, it may not be able to be implemented considering the technology used by all merchants. Merchants live on very thin margins, even Target and Wal-Mart. So the investment required to make changes may put some merchants out of business. In today’s economic climate, the loss of jobs will far outweigh the monetary losses. Until the economy picks up, merchants will likely fight to minimize any expenses to make changes to their systems and networks.
Speaking of monetary losses. Based on the latest statistics I could find, 7.5% of Americans (almost 23 million people) have suffered from financial fraud. While that is a fairly large number of people impacted, the total monetary losses to fraud versus total credit card charges are still well below 1%. Until that percentage gets higher, we will likely see the card brands and merchants to accept this loss as the cost of doing business.
The fact that the US House of Representatives looked at this issue in the Committee on Homeland Security speaks volumes. There is an assumption that this is the case since the bulk of fraud is now committed by criminal organizations. I do not discount the possibility that some of these fraud moneys likely flows to terrorists, but the amount is likely so small that it is inconsequential. Then there is the fact that Internet access in known terrorist countries and the number of attacks coming from those countries just does not support the conclusion that fraud funds terrorism. Granted, a lot of attacks and fraud are conducted by surrogates on behalf of others. However, based on everything I have read, there has been no correlation between the attackers and terrorists. Until this can be correlated, this is just a smoke screen in my book.
In her statement during the House hearings, Representative Yvette Clark (D-NY) held out Chip and PIN as one of the keys to securing credit card transactions. As I pointed out in my Chip and PIN post, this technology is not a silver bullet. In fact, it has its own security issues, the largest being that the encryption it offers is weak at best.
Unfortunately, I think this issue is being discussed because the people discussing it believe that encryption solves the data breach problem. If properly implemented, encryption will reduce the risk of successful data breaches, but it will not entirely get rid of them. It will just make them more difficult to execute. After all, banks and art museums still are robbed even with all of the security measures they have implemented. What makes anyone think that data breaches will stop because of encryption? That is the point, it will not. Data breaches will continue to occur with or without encryption. It is how successful those breaches are that will change.
PCI Guru 
0 Responses to “Is “End-To-End Encryption” Realistic? Part 3”