Is end-to-end encryption the “next big thing” in payment card security?

End-to-end encryption and tokenization are two new technologies that can help safeguard credit and debit card data.

That's hard to say, especially in the highly complex and constantly changing world of data protection. But if you look at two of the biggest security breaches to hit retailing in the past few years — and the steps taken by the breached companies to prevent a reoccurrence of those break-ins — you would have to say that end-to-end encryption is on the retail horizon.

End-to-end encryption means that card data remains encrypted from the moment the card is swiped at the checkout to the moment it arrives at its final destination at the card brand or issuing bank for authorization and settlement. At no juncture is the data in a form useful to thieves.

Now consider Hannaford Bros. Scarborough, Maine, which suffered a data breach in late 2007 that exposed 4.2 million credit and debit cards. Hannaford determined that malicious software (“malware”) pilfered card numbers as the data was “in transit” from the card-swipe PIN pad across its private network.

Among the myriad ways Hannaford responded to the breach was to ensure that card data was encrypted, starting at the PIN pad in the checkout lane and continuing through the chain's network, thereby protecting the type of data that had been compromised in the breach.

Hannaford does not describe this as end-to-end encryption, acknowledged spokesman Michael Norton, “because that would imply that the data remains encrypted at all stages of the processing.” The chain has encrypted card data throughout its own network, but “for security reasons we're choosing not to be more specific about any points in the process where the status of that data changes.”

Enter Heartland Payment Systems, Princeton, N.J., a payment card processor that counts many food retailers among its customers. In January of this year, Heartland announced one of the largest data breaches ever reported. Cyber criminals using data-sniffing malware gained access to personal card data associated with the 100 million card transactions Heartland handles monthly.

In responding to its breach, Heartland went well beyond Hannaford's encryption effort by declaring that it would be committed to deploying a true end-to-end encryption system as quickly as possible — a move that could have broad implications for the retailing industry.

Robert Carr, Heartland's chairman and chief executive officer, saw the breach as an opportunity for the industry to move forward with adopting end-to-end encryption as an improved and safer standard of payments security. “Just as the Tylenol crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data — and therefore businesses and consumers — much more effectively.”

Heartland has drawn some favorable reviews for its end-to-end encryption plan. “If a company is breached, it can spend a lot of time apologizing, or it can go on the offensive. Heartland has chosen to go on the offensive,” said Dave Taylor, founder, PCI Knowledge Base, Highland Village, Texas. “It's the most intelligent response I have seen to a breach.”