VeriFone Holdings Inc. has struck a deal with payment processor RBS WorldPay Inc. to promote VeriFone's technology for end-to-end encryption of payment card data.
The agreement, announced Tuesday, comes about eight months after Atlanta-based RBS WorldPay disclosed that personal information of about 1.5 million pre-paid cardholders and other individuals was compromised when its computer system was hacked. The stolen data was used in a highly coordinated ATM scam.
According to San Jose, Calif.-based VeriFone, RBS WorldPay is the first merchant acquirer to endorse a commercial end-to-end encryption solution. Heartland Payment Systems Inc., which reported that it was breached Jan. 20, earlier this year began developing its own encrypted end-to-end terminal product for payment card security. Last week, Heartland Chairman and CEO Robert Carr said the product is being beta tested at 10 merchant locations.
The VeriFone Protect technology uses AES-level encryption to protect card data at the point of card swipe at the point-of-sale device. VeriFone said the product preserves existing card track data formats to work with retailers' existing payment infrastructure.
"RBS WorldPay merchants and prospects are telling us they want to significantly reduce the impact of PCI compliance on their business - and they want a solution their processor endorses," RBS WorldPay President and CEO Ian Stuttard said in a prepared statement.
Diana Kelley, founder and partner at consulting firm SecurityCurve, said she was heartened to see advances in end-to-end encryption.
"Encrypting sensitive card information on swipe and keeping it encrypted through to final target destination is a reliable way to protect data in transit," she said. "Encryption on swipe really should have been supported by POS vendors and financial institutions from the time when POS swipe first came to retail."
This kind of solution helps prevent sniffer attacks like the 2005 breach at payment processor CardSystems Solutions, in which attackers put a tap on the network to steal card numbers, Kelley said. However, while end-to-end encryption raises the bar in payment card security, it's not the end of card protection requirements, she added.
"Depending on architecture and implementation, this would not necessarily prevent 'final destination' attacks on a central database where card numbers are stored. In that scenario, even if the numbers are stored in the database encrypted, an attacker with the right credentials and keys could decrypt the stored data and use the card numbers," Kelley said.
RBS WorldPay is the U.S.-based payment processing division of the Royal Bank of Scotland Group plc. The company did not immediately respond to a request for comment Tuesday.