End-to-end encryption can help merchants go beyond the current requirements of PCI (Payment Card Industry), solving for many vulnerabilities in the payments processing chain. End-to-end encryption (E2EE) addresses security weaknesses that exist when cardholder data has been captured but not yet authorized, and tokenization addresses security vulnerabilities after a transaction has been authorized. When combined, these two technologies provide a very strong way to secure data.
Where merchants are concerned, there are two points in the payment process where sensitive cardholder data is at risk of being exposed or stolen:
1. Pre-authorization – When the merchant has captured a consumer’s data and it is being sent or waiting to be sent to the acquirer/processor.
2. Post-authorization – When cardholder data has been sent back to the merchant with the authorization response from the acquirer/processor, and it is placed into some form of storage in the merchant environment.
Encryption is the process of using algorithmic schemes to transform plain text information into a non-readable form called ciphertext. A key (or algorithm) is required to decrypt the information and return it to its original plain text format. There are multiple approaches to encryption in the payment process. A merchant will need to evaluate its own environment to determine which approach or approaches would work best to meet its needs.
Session encryption
In session level encryption, the communication path in which the transaction flows from point A to Point B is encrypted; for example, from a POS terminal to a store’s central host, or from a consumer’s PC to an e-commerce web page. Session encryption is commonly used when the merchant doesn’t control the path all the way out to the end user. This is the case when purchases are made over the Internet. It’s not practical for a merchant to encrypt the data on a consumer’s PC, but it is easy to establish encryption for the communication session between the PC and the e-commerce web page. This is commonly called a secure socket layer, or SSL, and is often denoted by a yellow lock icon on a web page. Using SSL, all the information sent between the PC and the host server travels through an encrypted tunnel.
Data encryption
Depending on where in the process the data elements are encrypted, the merchant could be protected from internal fraud as well as external fraud. If the card data that a merchant wants to protect is encrypted at the point of capture – for example, at the customer-facing PIN entry device in a multi-lane retailer or at the data entry web page of an e-commerce site – and if that data stays encrypted until it is received by the processor, the data is protected all along the way. This is what often is called end-to-end encryption. Even if the transaction is intercepted at any point along the way, the encrypted card data is unreadable and it means nothing to anyone other than the processor that holds the decryption key. Where possible and practical, data encryption is preferable to having only session level encryption. Of course, a merchant can combine session encryption with data encryption for a “belt and suspenders” approach to security. Encrypted data moving through an encrypted tunnel would be doubly secured.
There are multiple ways that data encryption can be applied. Again, which method is “best” depends on a merchant’s specific environment.
Asymmetric encryption (public key/private)
Asymmetric encryption uses two separate keys, each of which has a specific function. A public key encrypts the data, while a private key decrypts the data. The public key can be freely distributed without the key management challenges of symmetric keys, since it can only encrypt and never decrypt data.
Data encryption in hardware
The process of encrypting cardholder data can be done in hardware in a tamper resistant security module. A TRSM device has the ability to destroy itself and render useless any data or keys stored in it if someone attempts to tamper with it.
Data encryption in software
Data encryption also can be performed by a software program. This approach provides more flexibility in where the encryption takes place, as it can be added to virtually any terminal, POS device or e-commerce server where card data is presented.
Multiple approaches to encryption are vital because there are so many different ways that information is given online during the payment security process. The encryption application must be placed at the right point in the payment process and this could be different depending on the type of payments a company receives. To learn more about security solutions, please contact us at https://alfatec.hr/en/contact/.
