Point-to-Point Encryption (P2PE) and Seat Belts
August 27, 2012
David Fish
Mercator Advisory Group
Since Heartland Payment Systems popularized the concept after the breach of its servers was disclosed in late 2008, the merchant acquiring industry’s adoption of point-to-point encryption (or “end-to-end encryption,” as that firm calls it) has been relatively gradual.
It wasn’t long after the Heartland breach that WorldPay and VeriFone offered the first commercial implementation of VeriShield Protect, First Data and RSA introduced TransArmor, and the market has seen a succession of releases in the years since. Three years later and now several other acquirers have joined the fray, with Elavon having announced an upgrade to its Safe-T Suite of PCI-related solutions earlier this year. A number of vendors, including Prime Factors, VeriFone, Semtek, Voltage Security, and Transaction Network Services, have also found resellers in the direct merchant services space to bring third-party solutions to market.
These are all positive developments for an industry that sold a product for 50 years without much more than basic safety features. Compare the development arc on card payments to automobiles and the addition of seat belts as a standard feature in 1958, the same year that Bank of America started BankAmericard, the credit card association now known as Visa. That span of time appears to roughly match the number of decades that elapsed between the autocar’s mass marketing and the introduction of a commodity technology that became the primary means of ensuring the basic safety of the motoring masses.
Did the seat belt expand the automobile market by virtue of adding an element of safety to a product that already had mass adoption? No, of course not. While some car buyers perhaps sought out models with seat belts in the early days of their existence, as they did in somewhat stronger numbers when airbags were put into vehicles, the proliferation of automotive safety technology was either due to government regulation or the readiness of the market to receive, and pay for, the added feature. Manufacturers acted upon mandates in the first instance, and in the second instance on something that cannot rightly be called demand, but perhaps passive willingness to buy something that manufacturers knew they should offer as a standard feature because it was the right thing to do.
Despite the marketing efforts of all the merchant acquirers in the market, merchants seem less inclined to display anything more than simmering demand for a more secure card payment ecosystem. The prevailing attitude, as far as we can estimate, is that merchants believe that the kind of security that point-to-point encryption can deliver should be a standard element of the payment process.
This week’s announcement from Visa, that it will be the first card network to offer a point-to-point encryption solution, is all the more interesting in this context, and certainly many questions about Visa’s pricing and distribution of P2PE remain. What can existing vendors expect? What if Visa decides that encryption will become a standard feature of card payment processing by offering the service free of charge? This isn’t something I think they’ll do, since the representatives that briefed me on this announcement indicated that P2PE from Visa would be something that acquirers would be able to resell, and would be also able to make interoperable with existing vendor solutions.
(Tangent: the difference with Visa’s encryption service is that it finally provides data-level encryption within the connection (the DEX) between an acquirer’s processing platform or direct-connect merchant’s switch and VisaNet. Visa can also now support data-level encryption from third-party vendors.)
Back to the seatbelt analogy: If Visa’s P2PE service does become the standard, is innovation in danger? Do we have to wait 20 years for someone to introduce the equivalent of airbags? Don’t get me wrong: Visa should be applauded for introducing P2PE at the network level, especially before regulation or litigation made it so. In fact, I think both developments I’ve discussed herein are positive. The expansion of acquirer offerings of third-party encryption services and Visa’s own initiative indicate that the payments industry is moving in the right direction when it comes to protecting cardholder data. I only hope the market gains an appetite soon for encryption before it either has something forced down its throat, or it has to settle for a very basic “solution” that grants no room for improvement down the road.