Everybody’s Coupling With Encryption Alliances
Written by Evan SchumanAs the retail industry quickly moves to embrace some kind of tokenization, middle-to-middle encryption or a related scheme to reduce how long card data is lying around retail networks waiting to be stolen, vendor alliances are popping up like crabgrass. (By the way, don’t say anything nasty about crabgrass. It’s the only thing on my lawn that will grow.)
You’ll note, however, that no one is announcing deployments by major retailers or releasing detailed trial results showing that any of this stuff actually works. Vendor alliances are easy because no one has to show or do anything for them. That said, these partnerships are a start.
On Tuesday (Oct. 27), Chase Paymentech, VeriFone and Semtek said they would be working together on middle-to-middle encryption. Also on Tuesday, Voltage Security pushed its middle-to-middle encryption tactics by stating that it would be opening its encryption package to all POS vendors (as if anyone expected the company to refuse to accept money from any POS vendor offering it?) and a “zero-cost licensing program for integration” of its technology.
“It will be no cost to do the port and no cost when they distribute the device,” said Wasim Ahmad, Voltage’s vice president, Marketing. Given that Voltage had never intended—nor was it expected—to charge for those services, it seems an odd announcement.
Rounding out the latest alliances is a pledge from Hypercom and Heartland Payment Systems to jointly push the Heartland encryption package.
-Dan Stiel
October 30th, 2009 at 12:30 pm
[Semtek has a commercial interest in the topic under discussion]
I’m not exactly sure what point you are trying to make here, diminishing vendors in the end to end space by suggesting that they are middle to middle not end to end, etc. This battle of terminology (end to end v. point to point v. middle to middle) is completely besides the point and confuses the end game with practical progress. As long as the network end keeps consolidating towards the top, the industry is making substantial headway. Don’t let the perfect be the enemy of the good! As one of our clients likes to say “as long the end is not my (rear) end, I’m in a better place.”
It is also a bit too cynical to insinuate the none of these systems have been deployed. Semtek, as a matter of policy, does not disclose the names of their clients and we are certainly not alone in that practice. Semtek has deployed these systems on a large scale, the installations have all passed new ROC’s, and are meeting all expectations. I assume other vendors are in a similar spot. I understand that this lack of merchant identification is frustrating to journalists and analysts, but there are bigger issues at stake than who gets credit.
October 30th, 2009 at 12:55 pm
Editor’s Note: Thanks for the comment, Patrick, but I think you’re seeing words (or implications) that simply aren’t there.
You reference “diminishing vendors in the end-to-end space.” I can’t speak for others, but the story you referenced absolutely did not diminish anyone. It merely stood firm to some reasonable definitions. A major processor, Fifth Third, has discussed true end-to-end encryption, where the card is encrypted at the point the plastic card is manufactured and it stays encrypted through the consumer, through the retailer and doesn’t get unencrypted until it arrives at the processor. THAT’s end-to-end encryption. It’s confusing to refer to something else as end-to-end. The term we’ve heard used is middle-to-middle, which seems appropriate. Middle-to-middle is the best approach being actively deployed today so we’re certainly not diminishing it. But we’re not going to call it something it’s not. Fair is fair.
I wholeheartedly agree that we shouldn’t let the perfect be the enemy of the good. But by the same token (play on words intended), we’re not going to start calling “the good” by the term “the perfect” just because it will make the makers of “the good” feel better.
You also expressed the concern that the story seems “to insinuate that none of these systems have been deployed.” Not at all. If you read the story again, I think you’ll find no such insinuation. But again, we have to be honest. We hear a lot of vendor claims and we’re hearing nothing from retailers deploying. We all know why and we’re not quarreling with that. But a judge has to make rulings based on what is before her, even if there might be a very good reason (trade secrets, military secrets, fear of cross-examination, self-incrimination, etc.) why those details haven’t been presented. In reporting on these events, it’s important to put them into context that we haven’t heard about specific deployments. No one is saying that they don’t exist, but until we can drill down into those details, we have to be careful about the claims being made.
October 30th, 2009 at 4:05 pm
If anyone is “diminishing vendors in the end to end space,” it would be Semtek’s partner and major investor, Verifone, by choosing litigation over innovation to compete against Heartland’s “substantial headway.”