With End-to-End Encryption, Whose End Is Getting Protected?

In a piece last week, we talked about a series of future security offerings that Visa is pushing, including a comment from a Fifth Third Bank executive that end-to-end encryption has logistical challenges, especially "a tremendous key management issue." Although many readers posted comments on the story, some security specialists wrote in privately, fearful of challenging the processors they're working with. But some of the comments were interesting enough that I wanted to share some of them with you anonymously. One reader argued that Fifth Third's resistance had much less to do with making life easier for retailers and more to do with minimizing the processor's own liability. "Fifth Third sees a major transfer of card fraud liability shifting exclusively to them from the merchant who traditionally has (effectively) 100 percent of the liability. This dynamic would leave Fifth Third (and all acquirers) as the sole liability holder for all card fraud," wrote one reader. "I can understand their concern. It is rational and it is well-founded." That reader also questioned Visa's ideas about taking a card's digital image and using it to authentify the card. "Last time I checked, (such a digital fingerprint) would be 54 bytes. Tell me how appending that large of a message set to Track II data can be 'transparent' to a merchant. There is a reason why a very good technology like (the digital signature) hasn't gotten traction. Same reason why conventional encryption hasn't gotten traction: it's too disruptive to implement. Good news is that VISA understands the value of this approach. Bad news is that VISA is (once again) pushing a solution that the merchants will reject due to cost." The reality is that all of these approaches have their pluses and minuses—like everything else—and that all of the players have their public reasons for supporting approaches and their private reasons. But we still applaud Visa and Fifth Third for at least trying to think creatively. There's no question that the processors—and Visa and, for that matter, Wal-Mart, Macy's and Target—have their own objectives. But if security is going to be improved before federal officials try and legislate the issue to death, we're going to need creative approaches. Even expensive, time-consuming and inefficient approaches can be better than nothing new. We certainly wouldn't suggest that retailers assume that Visa or Fifth Third are operating with the retailers' best interests in mind, but if the ideas are workable, it's at least a very good start.