Everybody’s Coupling With Encryption Alliances

Written by Evan Schuman
October 29th, 2009

As the retail industry quickly moves to embrace some kind of tokenization, middle-to-middle encryption or a related scheme to reduce how long card data is lying around retail networks waiting to be stolen, vendor alliances are popping up like crabgrass. (By the way, don’t say anything nasty about crabgrass. It’s the only thing on my lawn that will grow.)

You’ll note, however, that no one is announcing deployments by major retailers or releasing detailed trial results showing that any of this stuff actually works. Vendor alliances are easy because no one has to show or do anything for them. That said, these partnerships are a start.

On Tuesday (Oct. 27), Chase Paymentech, VeriFone and Semtek said they would be working together on middle-to-middle encryption. Also on Tuesday, Voltage Security pushed its middle-to-middle encryption tactics by stating that it would be opening its encryption package to all POS vendors (as if anyone expected the company to refuse to accept money from any POS vendor offering it?) and a “zero-cost licensing program for integration” of its technology.

“It will be no cost to do the port and no cost when they distribute the device,” said Wasim Ahmad, Voltage’s vice president, Marketing. Given that Voltage had never intended—nor was it expected—to charge for those services, it seems an odd announcement.

Rounding out the latest alliances is a pledge from Hypercom and Heartland Payment Systems to jointly push the Heartland encryption package.


3 Comments | Read Everybody’s Coupling With Encryption Alliances

  1. Patrick Hazel Says:

    [Semtek has a commercial interest in the topic under discussion]

    I’m not exactly sure what point you are trying to make here, diminishing vendors in the end to end space by suggesting that they are middle to middle not end to end, etc. This battle of terminology (end to end v. point to point v. middle to middle) is completely besides the point and confuses the end game with practical progress. As long as the network end keeps consolidating towards the top, the industry is making substantial headway. Don’t let the perfect be the enemy of the good! As one of our clients likes to say “as long the end is not my (rear) end, I’m in a better place.”

    It is also a bit too cynical to insinuate the none of these systems have been deployed. Semtek, as a matter of policy, does not disclose the names of their clients and we are certainly not alone in that practice. Semtek has deployed these systems on a large scale, the installations have all passed new ROC’s, and are meeting all expectations. I assume other vendors are in a similar spot. I understand that this lack of merchant identification is frustrating to journalists and analysts, but there are bigger issues at stake than who gets credit.

  2. Evan Schuman Says:

    Editor’s Note: Thanks for the comment, Patrick, but I think you’re seeing words (or implications) that simply aren’t there.
    You reference “diminishing vendors in the end-to-end space.” I can’t speak for others, but the story you referenced absolutely did not diminish anyone. It merely stood firm to some reasonable definitions. A major processor, Fifth Third, has discussed true end-to-end encryption, where the card is encrypted at the point the plastic card is manufactured and it stays encrypted through the consumer, through the retailer and doesn’t get unencrypted until it arrives at the processor. THAT’s end-to-end encryption. It’s confusing to refer to something else as end-to-end. The term we’ve heard used is middle-to-middle, which seems appropriate. Middle-to-middle is the best approach being actively deployed today so we’re certainly not diminishing it. But we’re not going to call it something it’s not. Fair is fair.
    I wholeheartedly agree that we shouldn’t let the perfect be the enemy of the good. But by the same token (play on words intended), we’re not going to start calling “the good” by the term “the perfect” just because it will make the makers of “the good” feel better.
    You also expressed the concern that the story seems “to insinuate that none of these systems have been deployed.” Not at all. If you read the story again, I think you’ll find no such insinuation. But again, we have to be honest. We hear a lot of vendor claims and we’re hearing nothing from retailers deploying. We all know why and we’re not quarreling with that. But a judge has to make rulings based on what is before her, even if there might be a very good reason (trade secrets, military secrets, fear of cross-examination, self-incrimination, etc.) why those details haven’t been presented. In reporting on these events, it’s important to put them into context that we haven’t heard about specific deployments. No one is saying that they don’t exist, but until we can drill down into those details, we have to be careful about the claims being made.

  3. PCI Guy Says:

    If anyone is “diminishing vendors in the end to end space,” it would be Semtek’s partner and major investor, Verifone, by choosing litigation over innovation to compete against Heartland’s “substantial headway.”


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.