Alliance Backs Contactless Cards as Encryption Option

As a number of companies push various strategies for the end-to-end encryption of payment card data, the Smart Card Alliance weighed in Monday with what it considers a simpler alternative: wider use of contactless cards.

The alliance, a multi-industry trade group in Princeton Junction, N.J., argues that contactless cards, which are already widely available in this country, make it unnecessary to store static information on cards' magnetic stripes and eliminate a weak link in the system, because contactless chip cards already incorporate dynamic cryptograms that change with each transaction.

"If the stakeholders make the investment and put end-to-end encryption in place, will they have put a steel door on a grass hut?" the report asked. "The answer is yes. End-to-end encryption still leaves the United States with a payments infrastructure that has a glaring weakness — the magnetic stripe."

Others respond that mag-stripe cards dominate the U.S. market, and that the expense of issuing more contactless cards and installing more contactless readers would exceed the expense of upgrading merchants' card-acceptance terminals with devices containing encryption algorithms.

Randy Vanderhoof, the Smart Card Alliance's executive director, said wider use of contactless cards also would begin to move the United States in the same direction as the rest of the developed world, where chip-and-PIN transactions that meet the EMV Integrated Circuit Card Specifications are emerging as the dominant global standard.

"We should be putting our effort and our investment into expanding the use of chip cards, because they introduce this dynamic data which make the information running through the system useless to thieves," Vanderhoof said in an interview Monday.

Accredited Standards Committee X9 Inc. of Annapolis, Md., the forum for standard-setting in the financial industry, began looking at the issue of end-to-end encryption in April. But as of the start of this month the committee had not decided if a standard is needed or a technical report. Another open question is whether to build a standard on top of the Payment Card Industry Data Security Standard administered by the PCI Security Standards Council LLC of Wakefield, Mass., or to make encryption an independent project, the alliance said in its report.

Others are not persuaded by the alliance's position. Steven M. Elefant, the chief information officer at Heartland Payment Systems Inc., said his company plans to introduce in the fourth quarter a new merchant terminal, the E3, that encrypts card data at the point of acceptance; the information can remain encoded until it reaches the card networks.

Heartland, a transaction processor in Princeton, N.J., announced a massive breach in January, and has since become aggressive in pushing for encryption of all card information.

"The bad guys have gotten really smart. They look for the weak points at the edges" of existing security systems, Elefant said in an interview. "The end-to-end encryption that Heartland is offering embraces the vast majority of cards that are out there."

Less than 1% of cards in force in the United States contain chips, Elefant said, citing estimates that the cost of converting the U.S. payments infrastructure to EMV could run to $30 billion.

"That's the problem. Somebody's got to pay for all that."

VeriFone Holdings Inc. of San Jose is pursuing its own plan for point of sale terminals with data encryption, but a spokesman, Pete Bartolik, said the processor supports migration to chip cards.

"VeriFone believes that good security requires multiple layers or facets and should not just rely on a single technology. Cardholder information needs to be fully secure regardless of whether it originates from a chip card or a mag-stripe card," Bartolik wrote in an e-mail.

"Even in Europe where chip cards have been deployed, we are talking to acquirers and retailers who believe that end-to-end encryption is needed to more fully protect cardholder data," Bartolik said. "The major threat to cardholder data is the ability to access corporate networks and capture cardholder data that is in transit or 'at rest' in retailer systems."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER