Mercator End to End Encryption Report

Mercator Advisory Group recently published “End to End Encryption: The Acquiring Side Responds to Data Loss and PCI Compliance.” The report was written by George Peabody, Principal Analyst for Mercator and was published in June 2009.

Among the finding in the report:

• “PCI, as it is defined today, while necessary, is not sufficient. More robust approaches are required. And that is where card number encryption enters the scene, as another method of removing high value card numbers from merchant, processor and acquirer systems.”
• “Encryption is about making secret data economically and computationally impractical to steal. Having done that, cyber criminals have no ability to profit from what data they do manage to steal after they‘ve broken into the enterprise.”
• Mercator projects that the scope of PCI DSS audits should be reduced by 75% and annual compliance maintenance costs should be reduced by 80% by implementing a proper end to end encryption solution. In their analysis, that translates to between $262,500 and $1,750,000 in annual savings to a retailer.
• George Peabody believes that retailers should be given an interchange break for implementing an end to end encryption solution. “There is precedent for incentive interchange rates based on merchant deployment of fraud and risk controls. E2EE deployment by a merchant qualifies as a fraud and risk control. After all the PCI DSS expenditures made by merchants, under threat of a stick, a handful of basis points for good citizenship would let the Acquiring Team know that its efforts are appreciated. Since they have to play by the Issuing Team‘s rules, it is deserved.”
• “The only way E2EE becomes systemic is if it becomes mandated for all merchants or an interchange incentive is given or E2EE saves enough money and pain to compel merchants.... and upstream through to issuers.”