Community
Randy Vanderhoof of the Smart Card Alliance speaks a great deal of common sense about end-to-end encryption. It won't do anything to prevent replay attacks, nor to take the value out of stolen ID data. All it does is protect data-at-rest at intermediaries, and data-in-motion through a portion of the payment processing chain. So the black market in stolen account details will not be impacted.
The fundamental problem with end-to-end encryption, unsurprisingly, is at the ends. The point at which stolen card data can be injected at merchants is not protected by E2EE.
Randy's analogy that E2EE "may be more akin to putting a steel door on a grass hut" is evocative but not quite right. A more telling comparison would be using an armoured car to transfer cash from a merchant to the bank, but leaving the cash in a cardboard box for collection on the sidewalk outside the shop. The card payments system remains vulnerable to attack at the interface between merchant and processor. E2EE won't stop the sorts of attack mounted by organised crime at large merchants (like TJMaxx); all it does is mitigate against heists occurring within the processors. So as a "risk management" measure, it's very selective as to whose risk it manages. E2EE might have the unintended consequence of making merchants more attractive as targets for ID thieves. What then? Perhaps another cycle of more yet more onerous PCI requirements?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Muhammad Qasim Senior Software Developer at PSPC
22 October
Mete Feridun Chair at EMU Centre for Financial Regulation and Risk
John Reese Business Analyst | Platform Growth Expert at Hashcodex
Alex Kreger Founder and CEO at UXDA Financial UX Design
21 October
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.