Ahh, back to thinking about Prague.  I can almost taste the goulash!

End to End Encryption (E2EE) is widely discussed, but its effects are largely misunderstood by merchants looking for relief from the burdens of complying with PCI or government rules and regulations.  Merchants have approached me asking if implementing E2EE will eliminate their liability and PCI responsibility. This exact question was asked in Prague during the Q&A session.

Probability and Measure, by John-Morgan

Probability and Measure, by John-Morgan

The first issue here is E2EE is not likely a reality we will see anytime soon.  Remember the ends we are dealing with here.  End the first is the device reading the payment instrument, and the other end is the issuing bank (or issuing processor) that ultimately approves the transaction.  All of those switches

More likely E2EE is really POS/PED to Acquirer Encryption (P2AE maybe?), whereby large segments of the merchant could be deemed out of scope.  That’s the most logical implementation for merchants looking to maximize their scope reduction possibilities.  That said, it may not be the best financial decision for a merchant depending on their current setup.  If the merchant is already looking at a hardware refresh for their POS population, maybe dropping encryption from the POS to the Acquirer would be sufficient enough to remove huge parts of the network from scope.  One customer of mine was able to implement something similar and remove tens of thousands of devices from scope.

The owner of the merchant ID1 is ultimately responsible for PCI compliance, and will be fined in the case of a breach.  Merchants that own the merchant ID and use an P2AE solution would still be the primary investigation focus if the payment brands see suspicious activity.  Obviously an acquirer or processor suffering a breach, like a Heartland, will focus on that financial institution directly.  That said, if a mistake at a processor caused a breach at ONE merchant, that merchant will most likely have to rely on their contract with their processor to recover losses.

The liability is still there if the merchant owns the merchant ID, but the probability of a breach dramatically declines with the more security implemented into the overall setup. Several processors are now offering solutions where they indemnify merchants in the case of a breach as long as they have deployed that particular processor’s E2EE solution.

Does it cost more than doing the work internally?  Yes.  Is it potentially better for the business overall to outsource payment process (something not normally considered a core competency) and pay the few extra points to offload management and responsibility?  Probably.

E2EE (or P2AE) is a great tool to add to your arsenal, but as with everything else in our industry, there is no such thing as a silver bullet (or free lunch).

This post originally appeared on BrandenWilliams.com.

  1. Which may not always actually be a merchant!  Think outsourced payment provider. []