Live from NRF: Can Heartland's E3 End-to-end Encryption MSR Wedge Eliminate PA-DSS Scope for Developers?
Coalfire Systems, an independent Payment Card Industry (PCI) Qualified Security Assessors (QSA), released a security assessment validating that Heartland Payment Systems’ E3 end-to-end encryption magnetic stripe reader (MSR) wedge can eliminate the scope of the Payment Application Data Security Standard (PA-DSS) for POS developers. The PA-DSS is designed to eliminate the use of non-secure payment applications that store prohibited data elements, such as full magnetic stripe, CVV2 and PIN data, and ensure payment applications support compliance with the PCI DSS. By encrypting sensitive payment card data at the moment of swipe, E3 prevents plaintext data from being available to the payment application, thus facilitating the removal of the payment application from PA-DSS scope. To fully eliminate PA-DSS scope, Coalfire specifies provisions including that no encrypted data can be stored locally; no other payment systems can be supported; and that merchants cannot possess or have access to decryption keys in their retail or corporate environments.
Coalfire’s assessment also documents that the E3 wedge can reduce the scope of PCI compliance for merchants by up to 69 percent, based on PCI DSS controls that are reduced or removed from scope with proper E3 MSR wedge deployment. This scope reduction significantly lowers the associated costs of PCI compliance assessment and validation for business owners. Last month, Coalfire released a separate assessment that found similar scope-reducing capabilities of Heartland’s standalone E3 terminal.
Commercially launched in November 2010, Heartland’s E3 wedge encrypts sensitive cardholder data in a tamper-resistant security module (TRSM), similar to that of a PIN debit encrypting device. Heartland developed the wedge to offer a variety of security options to merchants using computer-based POS systems, as well as address the epidemic of data breaches in the retail and hospitality industries — two of the “Big Three” industries affected by data breaches because of the frequent use of POS systems. According to the 2010 Verizon Business Data Breach Investigations Report, these sectors account for 15 and 23 percent, respectively, of investigated data breaches.
Coalfire also determined:
- A properly deployed E3 wedge solution can provide significant risk mitigation of data compromise and is one of the most effective data security controls available to merchants today.
- The E3 wedge’s use of Format Preserving Encryption (FPE) meets encryption best practices and standards for cryptographic algorithms and key strength and meets industry standards and VISA best practice guidance.
- The use of Identity-Based Encryption (IBE) key management processes removes most of the challenges of key management for the merchant that have been found in many other end point encryption solutions.