Reducing Payment Card breach risks in e-commerce without impacting the consumer interaction

It’s sad to see yet another data breach like this one – especially for online shoppers as in this case. But the good news is there are ways to reduce the impact. Another technique to mitigate this risk is to use end-to-end encryption from the browser to the processing host at the merchant, or to a secure payment acquirer. Techniques like Page-Integrated Encryption, for example, enable this end to end model and are used by the world’s largest e-commerce processors and merchants already from card-not-present risk reduction and compliance. With this approach, the one-time-random key encryption of cardholder data can happen in the browser (mobile, desktop etc.) automatically, protecting data in transit beyond where SSL terminates – so the load balancer, webserver, app server and so on don’t see cardholder data. Only the trusted host can decrypt. This can be implemented very quickly, and isolates sensitive data from upstream higher-risk environments.

When implemented correctly and validated, it’s an approach that can both limit the scope of applicable PCI controls, but more importantly provide another simple, no-nonsense method to mitigate the risk of cardholder breaches. There are no silver bullets, but with the right technology, the risk as reported can be dramatically shifted in favor of the merchant without disrupting the business and consumer flow – something that EMV, consumer wallets, and other approaches cannot. Transparency for consumers is critical, and expected in today’s one-click to buy competitive e-commerce landscape.


Mark Bower

VP Products & Solutions

Voltage Security

Leave a Reply

Your email address will not be published. Required fields are marked *