I was at Visa's Foster City headquarters recently. The EMV Migration Forum meeting
was taking place. I'm looking forward to hearing what came out of what looked
to be a well attend event. I ran into Paul Tomasofsky, president of the Remote
Payments Security Council who is working with EFT operators who own the knotty
problem of EMV, debit cards, and PIN handling in the US.
But my purpose was to talk about encryption, Visa's new Consumer Authentication Service, and get a little background on V.me. This post is about encryption.
End to End Encryption
I spoke with Phil Kumnick, Head of Acquirer Processing. Our
topic was end-to-end (E2EE) and point-to-point encryption (P2PE).
In August,
Visa announced Merchant Data Secure with Point-to-Point Encryption, a service
that will be made available to merchants through acquirers. An approach
that uses existing standards, format preserving encryption, and multi-zone
encryption, the network is entering a space with no little competition.
Phil said
one of its reasons for entering the market now was the end of the wait for the PCI DSS to
firm its hardware-based encryption standards. It’s hardware approach is
based on the broadly deployed TDES encryption algorithm and DUKPT key
management scheme, the most commonly installed terminal hardware security
scheme out there. Visa's approach is also meant to be interoperable with
terminals using Voltage Security's IBE, VeriShield Protect from VeriFone and
others.
Visa's
offer supports zone-based encryption. Zones provide flexibility. In
one example Phil gave, a merchant could use a home grown encryption scheme
between its terminals and its central system. In the next zone, the connections
between the enterprise switch and the acquirer could be based on Voltage
Security's IBE method. The next zone into the Visa network would use
Visa's scheme.
Visa's
longer term view is not just for encryption. It includes tokenization.
Given the rising density of dynamically generated signals - from EMV to
mobile devices - that are associated with each transaction, the PAN itself can
become a token once there is ubiquitous use of dynamic data for all risk
scoring and fraud management. The transaction ID field, for example, could be
made mandatory as an additional dynamic data element. In that future, the PAN
alone will no longer have value. Obviously, given how early we are with dynamic
data, the "PAN as token" is some ways off.
The company
plans to take a similar approach with software-based encryption, waiting for
the PCI SSC to solidify its approach, now expected some time in 2013. The wait and see approach is to ensure the
Visa offering would be fully in compliance with the PCI standards.
From
my point of view, software-based encryption is a key tool if risk assessment is
based on the layered approach that relies on the net risk posture calculated from from multiple signals. Obviously, software-based encryption schemes will
have significantly easier deployment hurdles, important especially for consumer
uptake of mobile apps with embedded payment capabilities. But, as the amount
of sensitive data increases, so does the need for hardware-based approaches.
My Takeaways
Long term,
this has important implications for mobile transactions. Dynamic data
based on all kinds of available signals, not just payments-related data, will
let us make the important distinction between card holder present and simple
card present transactions. If Phil knows to a very near certainty that
George is the one using his mobile phone to conduct a transaction, Phil's risk in approving it drops accordingly. You could even argue, quite successfully, that this rich data mobile context could
be more secure than the magstripe. If not today, it won't be
long before that claim can be made.
Into Other Lines of Business
The
acquiring industry's been nervous about what the card brands were going to do
once they became public companies. Guessed at for a long time, it's now
become a certainty that the card giants, and Visa in particular, will offer a widening array of
acquiring functions to acquirers to help accelerate key capabilities deployment
in the marketplace. Encryption is one of them. Tokenization
another.
The extent
to which the incumbents should be nervous, however, is debatable. Visa operates a
network, it sets technical standards for connecting to that network, and
manages the rules that govern the network. That's a very different
discipline than providing technical services directly to the acquiring
industry, itself principally based on services. Larger issuers, too, have
long standing relationships with their service providers over whom they exert
considerable power. Purchasing acquiring-side services from a traditional
revenue provider makes some issuers uneasy. At the least, the contrasting
combination of Visa's traditional functions and its nascent services set is
producing some skepticism. Visa will have challenges in pushing
further into the services business.
On Format Preserving Encryption
Format
preserving encryption (FPE) is a key feature for smoothing deployment of
encryption services in applications that make use of the 16 digit PAN
structure. Often, the vendor's method retains the first six digits and
last four digits in the clear, to facilitate routing (based on the first six)
and receipting (the last four). That leaves just six digits for
obfuscation.
The
variability of FPE approaches is such that even the National Institute for
Standards and Technology (NIST) is working on an FPE-related standard:
"NIST
is currently developing an addition to the 800-38 series of Special
Publications, which will specify schemes for format preserving encryption based
on the FFX framework. NIST is also considering specifying an online authenticated
encryption mode to support Smart Grid as another addition to the series."
Visa as a
service provider has to compete, at least in the US, with a number of acquiring
processors and approaches, for the encryption business. The specifics of
Visa's encryption and tokenization plans are not without critics. The
format preserving encryption approach that Visa suggests cannot be used, at
least according to Voltage Security, for storage. Clarifying that concern
will be required because no one wants to deal with multiple format preserving
encryption standards within the enterprise's walls. Life is already
complicated enough.
Given the
continuing evolution of standards, everyone should be keeping a close eye on
the NIST efforts. The PCI SSC issues strongly worded suggestions.
NIST provides technical standards.
No comments:
Post a Comment