Point-to-Point Encryption (P2PE) and Seat Belts

by David Fish 0

Since Heartland Payment Systems popularizedthe concept after the breach of its servers was disclosed in late2008, the merchant acquiring industry’s adoption of point-to-pointencryption (or “end-to-end encryption,” as that firm calls it) hasbeen relatively gradual.

It wasn’t long after the Heartland breach that WorldPay andVeriFone offered the first commercial implementation of VeriShieldProtect, First Data and RSA introduced TransArmor, and the markethas seen a succession of releases in the years since. Three yearslater and now several other acquirers have joined the fray, withElavon having announced an upgrade to its Safe-T Suite ofPCI-related solutions earlier this year. A number of vendors,including Prime Factors, VeriFone, Semtek, Voltage Security, andTransaction Network Services, have also found resellers in thedirect merchant services space to bring third-party solutions tomarket.

These are all positive developments for an industry that sold aproduct for 50 years without much more than basic safety features.Compare the development arc on card payments to automobiles and theaddition of seat belts as a standard feature in 1958, the same yearthat Bank of America started BankAmericard, the credit cardassociation now known as Visa. That span of time appears to roughlymatch the number of decades that elapsed between the autocar’s massmarketing and the introduction of a commodity technology thatbecame the primary means of ensuring the basic safety of themotoring masses.

Did the seat belt expand the automobile market by virtue of addingan element of safety to a product that already had mass adoption?No, of course not. While some car buyers perhaps sought out modelswith seat belts in the early days of their existence, as they didin somewhat stronger numbers when airbags were put into vehicles,the proliferation of automotive safety technology was either due togovernment regulation or the readiness of the market to receive,and pay for, the added feature. Manufacturers acted upon mandatesin the first instance, and in the second instance on something thatcannot rightly be called demand, but perhaps passive willingness tobuy something that manufacturers knew they should offer as astandard feature because it was the right thing to do.

Despite the marketing efforts of all the merchant acquirers in themarket, merchants seem less inclined to display anything more thansimmering demand for a more secure card payment ecosystem. Theprevailing attitude, as far as we can estimate, is that merchantsbelieve that the kind of security that point-to-point encryptioncan deliver should be a standard element of the paymentprocess.

This week’s announcement from Visa, that it will be the first cardnetwork to offer a point-to-point encryption solution, is all themore interesting in this context, and certainly many questionsabout Visa’s pricing and distribution of P2PE remain. What canexisting vendors expect? What if Visa decides that encryption willbecome a standard feature of card payment processing by offeringthe service free of charge? This isn’t something I think they’lldo, since the representatives that briefed me on this announcementindicated that P2PE from Visa would be something that acquirerswould be able to resell, and would be also able to makeinteroperable with existing vendor solutions.

(Tangent: the difference with Visa’s encryption service is that itfinally provides data-level encryption within the connection (theDEX) between an acquirer’s processing platform or direct-connectmerchant’s switch and VisaNet. Visa can also now support data-levelencryption from third-party vendors.)

Back to the seatbelt analogy: If Visa’s P2PE service does becomethe standard, is innovation in danger? Do we have to wait 20 yearsfor someone to introduce the equivalent of airbags? Don’t get mewrong: Visa should be applauded for introducing P2PE at the networklevel, especially before regulation or litigation made it so. Infact, I think both developments I’ve discussed herein are positive.The expansion of acquirer offerings of third-party encryptionservices and Visa’s own initiative indicate that the paymentsindustry is moving in the right direction when it comes toprotecting cardholder data. I only hope the market gains anappetite soon for encryption before it either has something forceddown its throat, or it has to settle for a very basic “solution”that grants no room for improvement down the road.