I read the recent article "Tokenization Vs. End-to-End Encryption: Experts Weigh in" published in Bank Information Security yesterday and felt compelled to send the following letter to the editor to correct the mis-information it contained.

_____________________________________________________________

Linda McGlasson
Managing Editor, Bank Information Security

I read the recent article you published on Tokenization versus End-to-End Encryption and I think there are several errors or misconceptions that should be corrected. Perhaps some of this comes from the bias of the experts you interviewed.

First the entire discussion of tokenization versus end-to-end encryption does not even make sense. This is not an either or solution, nor is it a large versus small company decision. Both tokenization and end-to-end encryption can improve the security of cardholder data and can work well together in many environments.

By definition, tokenization cannot take place at the point of card swipe. Cardholder data must be sent throughput the authorization process to a secure token server before a token could be generated and sent back in the response message. This is the main reason why tokenization cannot stand alone in protecting cardholder data. It will remain unprotected in payment terminals, POS systems and retailer host systems where it may be captured by malware planted by criminals.

However, for long term data storage, tokenization may be the ideal solution for many retailers. We are partnering with several processors and merchants to deploy solutions which protect cardholder data in transit with end-to-end encryption and data at rest with tokenization.

The first important point about end-to-end encryption is that it should take place as soon as the card is swiped and remain protected as it traverses the payment infrastructure until it is decrypted. If that decryption takes place at the merchant’s acquiring processor, then there is no unencrypted cardholder data in the retailer’s environment.

And I will have to disagree with Anton Chuvakin that no one can roll out and end to end encryption solution and have it secure and useable. If the acquirer is involved and the payment terminal manufacturer provides a robust end to end encryption solution then smaller Level 4 merchants can remove cardholder data in the clear from their environment. By following industry encryption and key management standards, such as defined by Visa in their recent Data Field Encryption Best Practices, larger merchants can also implement a secure and useable end-to-end encryption solution.

Kevin Nixon, your independent security consultant needs to learn more about the end-to-end encryption solutions on the market. I suspect he is a QSA and fears that if security technology removes systems from PCI DSS scope he will be out of a job. It has nothing to do with doing security on the cheap, it has all to do with doing the best security. In fact, end-to-end encryption for many retailers will cost more than their annual PCI DSS assessment. Further, he argues such encryption could encrypt a worm and send it along. First, end –to-end encryption, done per Visa Data Field Encryption standards is done in the Tamper Resistant Security Module (TRMS) of the payment device which is protected by many of those layers Kevin talks about. And how could someone write a worm or malware and make it fit in the limited bytes of track data.

Perhaps next time you write an article about end-to-end encryption or tokenization you should consider talking to some of the vendors who are currently helping retailers protect sensitive cardholder data.

Jeff Wakefield
VP & General Manager, Global Security Solutions, VeriFone