Friday, July 3, 2009

HomeATM's SafeTPIN Could Cut E2EE Upgrade Costs in Half

End-to-End Encryption Would Cost $4.8 Billion - Mercator

Could HomeATM's PCI 2.0 Certified SafeTPIN cut costs by $3.0 Billion (60%) or More! You betcha!

Digital Transactions published a story on the cost of end-to-end encryption. Here is an excerpt:

Demand is booming for better payment card security as a result of the many data breaches of recent years, and the solution being touted more than any other is “end-to-end encryption.” But a new report from Mercator Advisory Group Inc. asserts that the term is imprecise and implementing the technology will take incentives, collaboration, and a lot of salesmanship. Meanwhile, the final tab for the solution is no small matter.

"A point-of-sale terminal with end-to-end encryption starts at $500 for a mom-and-pop merchant and goes up for multi-lane retailers, the report notes. Author George Peabody, director of the emerging technologies advisory service at Maynard, Massachusetts based Mercator, estimates the total cost to upgrade all U.S. terminals at $4.8 billion.


Editor's Note: HomeATM's PCI 2.0 Certified "Safe-T-PIN" point of sale terminal provides end-to-end-encryption and can be purchased by "mom-and-pop" merchants for less than half the price quoted above. Translation: HomeATM reduces Mercator's estimates by $3.0 or more billion dollars!


In addition, the HomeATM SafeTPIN incorporates an integrated PCI 2.x Certified PIN Pad which provides full "Zone 1 through Zone 5" (see illustration below) end-to-end encryption. Based on the fact that small merchants are the source of most data breaches, there is a need for them to improve the security of their cardholder data tranmissions by upgrading to a POS terminal that instantaneously encrypts the Track 2 data (including the Primary Account Number) as soon as the card is swiped.

Kenneth Mages, CEO at HomeATM stated, “PCI 2.0 specifications are much more demanding than the previous versions when it comes to protecting a POS system. The choice of Atmel’s AT91SO25 Secure System-On-Chip has been really helpful to speed up and achieve our product certification and to ensure our unique E2EE (end to end encryption).”

MasterCard recently mandated that Level 2 merchants use a QSA to perform an onsite assement of their Site Data Security. This is a HUGE departure from the previous requirement of an in-house "self-assessment" of their Site Data Protection programs. Another HUGE departure from previous requirements of spending $500 for an E2EE point-of-sale terminal is the availability of HomeATM's SafeTPIN with integrated PCI 2.0 Certified PIN Entry Device. Says one analyst: "While this is definitely going to put a dent in Level 2 merchant budgets from this point on, I truly believe that this is a smart move by MasterCard."

Editor's Note: I agree it's a smart move, but putting a "dent" in Level 2 merchant budgets in these trying times, may not be perceived by Level 2 merchants as an "image-enhancer" for MasterCard. Then again, there's more than one way to skin a cat. How about devising an incentivizing program for (at least Level 3 and Level 4) merchants to increase their security.

An incentive program (such as lowering interchange fees) to entice Level 3 and 4 merchants to upgrade and use an E2EE PCI 2.0 device would make perfect sense. Why? Because it would significantly increase security, thus reduce fraud, thus save MasterCard money. It could also save the Level 3 and 4 merchants significant money (remove the dent) if it was able to remove them from the scope of PCI compliance...which in turn would enhance MasterCard's image.


Let's review...
  • HomeATM could cut the costs of providing an E2EE Point of Sale Terminal by 60% saving upwards of $3 billion,
  • The SafeTPIN Terminal "includes" a PCI 2.0 Certified PED, (which comes encrypted and provides full Zone 1-5 protection)
  • The SafeTPIN Terminal would potentially remove Level 3 and 4 merchants (who are the source of most data breaches) from the scope of PCI compliance (because the data is never in the clear with our E2EE PCI compliant device)
  • In order to create a "win-win-win" environment, Visa or MasterCard could incentivize them to make the upgrade by dangling the lower interchange carrot in front of them.
Think this sounds (lower Interchange Fees) far fetched? The author of the Mercator Report doesn't. Here's another excerpt from Digital Transaction News...

Small, so-called Level 4, merchants, meanwhile, are the source of most data breaches but often have little awareness of card-related security problems and balk at spending money to fix them. One way to spur the technology: interchange incentives for merchants. In the past two decades, Visa Inc. and MasterCard Inc. have offered price breaks to encourage merchants to use electronic terminals and to bring entire check- and cash-oriented merchant segments, including grocery stores and recurring billers, into the card-acceptor tent. “There’s no evidence that that’s in the offing, but there’s precedence for it,” says Peabody (the author of the Mercator Report).

Here's a graphic of the Zones required for complete 100% end-to-end-encryption. Only PIN transactions can be encrypted from Zone 1 - Zone 5. HomeATM provides Zone 1 through Zone 4 encryption for credit and debit transactions as it is currently not possible to proviide Zone 5 coverage. Visa and MasterCard would have to overhaul their internal systems to emulate a PIN transaction to make that possible...



End-to-End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance
New Research Provides Guidance on End-to-End Encryption for Merchants and Processors

Boston, MA. - With the US payments system under continuous cyberattack and data breaches endemic, merchants and processors are scrambling to protect their data assets and cardholder data in particular. Card data encryption turns valuable data into worthless bits and bytes, eliminating the economic incentive for a cyberattack.

In a new report, End-to-End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance, Mercator Advisory Group explores end-to-end encryption (E2EE) in the hands of merchants, payment service providers and processors. In the face of the three bogies of PCI DSS compliance and penalties, reputational risk and direct financial loss, the acquiring half of the payments process is evaluating options for eliminating cleartext cardholder data from their systems. Tokenization (the subject of a recent Mercator report) and end-to-end encryption are the leading candidates. This report examines the complexity of E2EE within payments and enterprise security."End-to-end encryption's beauty is very much in the beholder's eye. If you're a Tier one merchant in no mood to risk the reputational crisis of a data breach, using E2EE to rid your network of card data is a good move," George Peabody, Director of Mercator Advisory Group's Emerging Technologies Advisory Service and principal analyst on the report comments. "E2EE also reduces the scope of PCI compliance audits and remediation costs but the beauty of encryption and card security will likely be lost on millions of Tier 4 merchants. Strong sales incentives and messaging will be required to have them join in the data protection fight."

Highlights of the report include:
  • End to end encryption (E2EE) is a long forestalled rational reaction to data breaches and PCI DSS audit costs.
  • The advantages to merchants of getting out from under a large set of PCI compliance burdens may make E2EE worthwhile.
  • Defining the "ends" in E2EE is a key step for every deployment.
  • The encryption zones under a processor's control - from the merchant's magstripe reader to the interconnection point with card brand or issuer - appear to be a manageable domain where the burdens of key management and new POS gear equal the benefits.
  • Standards development is in early days. A new working group under ASC X9 has brought together the key stakeholders, some of whom have sharply diverging goals.








Reblog this post [with Zemanta]

Disqus for ePayment News