Javelin Study: End-to-End Encryption, Tokenization, and EMV in the US
Javelin has announced a new report titled "End-to-End Encryption, Tokenization, and EMV in the US: Vendor Analysis of Emerging Technologies and Best Hybrid Solutions" that "assesses the capabilities of end-to-end encryption, tokenization, virtual terminals, magnetic-stripe security and the EMV standard as solutions to combat payment-related data breaches."
If data breaches can’t be stopped, making the data useless to criminals is the next-best defensive strategy. With no true “end-to-end” encryption solution yet available, vendors are rapidly evolving their solutions to provide the best cardholder data protection. Javelin’s report analyzes all solutions against the backdrop of current breach criminal activity, recommending a hybrid of “end-to-end” encryption and tokenization for the best defense against payment card fraud. Javelin’s latest report finds that while current solutions fall short of offering true end-to-end encryption, they nonetheless satisfy the merchants’ need to remove payment card data from within their organizations.
"These emerging technologies minimize fraud losses due to data breaches by protecting, replacing or removing sensitive credit-card data," said James Van Dyke, President and Founder. "These approaches have come along at the right time because the recent flurry of large public data breaches has heightened the need for and cost of security compliance."
Javelin’s report analyzes how payment card industry solutions help merchants remove sensitive customer data while the data is in motion and in storage. This trend is supported by The National Retail Federation, which estimates that more than $1 billion has been spent to date by merchants on security compliance. Javelin also evaluates several technology vendor solutions for their ability to protect against data breaches:
- Processor Vendors: Chase Paymentech, First Data Corporation, Heartland Payment Systems and RBS WorldPay.
- Technology Vendors: Hypercom, Ingenico, MagTek, Semtek, VeriFone and Voltage.
- Tokenization Vendors: Chase Paymentech, Cybersource, nuBridges, RSA and Shift4
Key Report Findings:
- “End-to-end” encryption- tokenization hybrid solutions provide near complete solutions, especially for merchants that need access to card information on the backend.
- None of the current end-to-end solutions extend all the way from card swipe to card issuer—most start at the tamper-resistant security module and stop at the processor or just short of the gateway/processor.
- Deploying just one end-to-end solution may not suffice for all retail scenarios, so vendors must work in conjunction with other solutions.
- Cards with chip or EMV technology appear promising, but are unlikely to see widespread implementation soon in the U.S. due to complex market and fraud issues.
"If merchant cardholder data can be rendered useless to criminals, the liability and costs associated with PCI-compliance can be slashed," said Robert Vamosi, Analyst, Risk, Fraud and Security. "But the key question is how merchants and the card industry should select and implement security protection technologies right now."
Mention of Electronic Payment Exchange is conspicuously missing from the above article.
In August, Electronic Payment Exchange (www.epx.com) became the first payment processor to offer a true end-to-end solution that endorses and incorporates both
tokenization and encryption for securing cardholder data from the card reader through the entire transaction lifecycle. Using encrypted card readers with EPX’s BuyerWall™ credit card data tokenization technology, EPX has virtually removed merchants’ point-of-sale systems and card readers from the scope of PCI compliance and has substantially eliminated merchant liability associated with the risk of processing, transmitting, and storing sensitive cardholder data.
Encryption built into hardware and software at the point of sale provides strong protection against potential breaches before card numbers enter into the authorization process by immediately encoding credit card numbers upon the card swipe. Further securing the transactions, tokenization provides unsurpassed security against data breaches and identity theft after the initial card swipe by replacing account numbers with values that are meaningless to hackers and identity thieves.
David Hogan, CIO and senior vice president of retail operations for the National Retail
Federation (NRF), sees the value in EPX’s solution. "Protecting consumer's credit card data against
today’s professional hackers is a challenge for all merchants. EPX's announcement of a solution that
offers both end-to-end encryption along with tokenization is going to be well received by the entire
retail industry," states Hogan.
Posted by: Steven Kendus | January 22, 2010 at 04:59 AM
There are many companies that have been offering end to end encryption for a while. First isn't always best even if it could be proven.
Posted by: Accept Payments | January 23, 2010 at 07:37 AM
I find this tokenization a good protection against fraud, however I wonder how convenient this solution for the big hotel chains, car rentals etc.? How can they complete e.g the authorisation request (after the pre-authorisation) if they do not know the card details? Are they stored encrypted in the token somehow and can be reused?
Posted by: Eva | February 12, 2011 at 12:15 PM