Thanks to PCI and EMV we have come along way from the days when both retailers and criminals had complete control over customer card data, but I can't help thinking when is enough, enough? As we all know there is a danger of both under and over insuring your property so shouldn't retailers be approaching PCI with the same caution? More importantly who is it that decides you have enough security in place?
The QSA industry is obviously one that is needed in the market, but I am sure some people find it slightly unnerving that they are all acting independently and could potentially have different interpretations of the PCI Council guidelines. Does this mean retailers are in danger of being too secure?
I am sure some people would argue that there is no such thing as being too secure, but I beg to differ. You could cover your car in many layers of bubble wrap, but it would mean you wouldn't be able to get in to drive it. Is end to end encryption (E2EE) the payments equivalent to this?
I have no doubt that E2EE is going to fit the needs of some retailers, but is it the answer for everyone? It certainly is the buzz word in the industry at the moment but I feel it leaves a lot of unanswered questions. For example, what is the "end"? Is it the processing system or the bank? Where does the decryption take place and who manages the encryption keys at both ends? Because the system is only as secure as the keys used in the encryption and if these are held by the retailer then they are not out of PCI scope. These are just some of the things a retailer is going to have to think about if they are hoping E2EE is a "get out of PCI free" card.
The harsh reality is, there is no quick and easy way to take away retailers PCI compliance requirements. They are still going to have to go through PCI compliance, no matter what solution they have in place. They just need to make sure that the solution they choose not only gives them the tick in the PCI box today, but it will in the next five or even ten years and it doesn't cost them too much to maintain.
There certainly are alternatives to E2EE in the market place at the moment. There are solutions that are fluid and adaptable to new payments technologies if retailers want to launch new value added services at the point of sale. This is something that could prove very difficult and costly to do with battened-down E2EE.
A retailer should be able to go through the PCI experience in a relatively pain free manner, while keeping the flexibility they need within their payments infrastructure. At the end of the day PCI compliance is the real issue and E2EE is just one approach which could help if managed correctly, but there will be a price to pay. Retailers need to make an informed decision of what is the best payments infrastructure for their business, and it falls to thought leaders like us and the financial institutions to assist, before replacing everything on a whim.