Is Heartland's End-to-End Move The First Shot In A Processor Lock-In War?

Back in the late 80s, when I was covering the Unix area, much of the activity involved anti-competitive moves from one vendor to the next. Indeed, those folk did a lot more fighting than they did inventing or selling, which is why Microsoft never sweated Unix much.

In those days, proprietary was a bad word, suggesting a vendor ploy to lock-in IT departments to have to stick with their products because it became too expensive to switch. Open systems, packages that could theoretically work with a lot of other systems, was the better approach.

Today, you don't hear much about open systems and proprietary is a word tossed around by vendors with barely a hint of yesteryear's unpleasantness. Indeed, Heartland itself is describing its proposed end-to-end encryption approach as proprietary.

Is that necessarily a bad thing? As my colleague, Dave Taylor, eloquently articulates in this week's column about the Heartland move, Heartland's hardware-connected-with-card-reader approach will not be alone for very long. At least two other major processors are also preparing to unveil end-to-end encryption offerings.

Heartland's approach is based on the licensed technology from several vendors—including Voltage Security—along with a healthy dose of code written by salaried Heartland programmers, said Heartland spokesperson Jason Maloni.

From the retail perspective, is this mostly good? The good part is that, without a doubt, the likely result of all of these processor moves will be much strong security. After all, that's primarily what a processor is supposed to do: Get the transaction from point A to point B without mucking it up along the way.

A retailer generally doesn't crave a lot of value-add from its payment processors. In the friendliest way possible, the merchant attitude is "Just do your job and stay out of my way." But with more aggressive data breach artisans out there, retailers need the processors to do more to protect them. So from that perspective, these developments are very good news.

That all said, processors need to be profit-making businesses. Today, merchants can switch processors fairly easily. It's a pain, of course, but it can be done. One critical net effect of these end-to-end enhancements is that it will make it much more difficult for retailers to switch processors.

"Switching out processors is something (retailers) now do on a relatively regular basis," said Wasim Ahmad, VP/Marketing for Voltage Security. "Solutions that involve bolt-on-hardware raise those switching costs."

To that extent, these moves could make it more difficult for retailers to negotiate the best terms after the initial contract. How much pain is a retail IT exec willing to endure to avoid a 10 percent rate hike? Or slower tech response? The harder it is to leave a supplier, the less incentive that supplier has to, well, earn its swipes every day.

There's a broader issue, however. Any material improvement in security is likely to involve non-trivial infrastructure changes. In short, it would require changes that will make it harder to switch.

The answer to this would rest with the PCI Council, the NRF and other industry players. If standards can be worked out so that the security enhancement devices are all interoperable, that would address the question. Of course, interoperability invariably means "weaker approach." It means that a programmer can't necessarily craft the best thing they can because it now must be in accordance with the standard.

Heartland has been fond of saying that they are deploying these enhancements to stay one step ahead of the bad guys. The key question: Which bad guys are they thinking about? Cyber thieves or rival processors?