Comments on: Everybody’s Coupling With Encryption Alliances http://storefrontbacktalk.com/securityfraud/everybodys-coupling-with-encryption-alliances/ Techniques, Tools and Tirades about Retail Technology and E-Commerce Sun, 20 May 2012 01:49:40 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: PCI Guy http://storefrontbacktalk.com/securityfraud/everybodys-coupling-with-encryption-alliances/comment-page-1/#comment-64095 PCI Guy Fri, 30 Oct 2009 20:05:09 +0000 http://www.storefrontbacktalk.com/?p=4127#comment-64095 If anyone is "diminishing vendors in the end to end space," it would be Semtek's partner and major investor, Verifone, by choosing litigation over innovation to compete against Heartland's "substantial headway." If anyone is “diminishing vendors in the end to end space,” it would be Semtek’s partner and major investor, Verifone, by choosing litigation over innovation to compete against Heartland’s “substantial headway.”

]]> By: Evan Schuman http://storefrontbacktalk.com/securityfraud/everybodys-coupling-with-encryption-alliances/comment-page-1/#comment-64091 Evan Schuman Fri, 30 Oct 2009 16:55:02 +0000 http://www.storefrontbacktalk.com/?p=4127#comment-64091 Editor's Note: Thanks for the comment, Patrick, but I think you're seeing words (or implications) that simply aren't there. You reference "diminishing vendors in the end-to-end space." I can't speak for others, but the story you referenced absolutely did not diminish anyone. It merely stood firm to some reasonable definitions. A major processor, Fifth Third, has <a href="http://www.storefrontbacktalk.com/securityfraud/post-pci-visa-experiments-with-more-secure-card-strategies/" rel="nofollow">discussed true end-to-end encryption, where the card is encrypted at the point the plastic card is manufactured</a> and it <i>stays</i> encrypted through the consumer, through the retailer and doesn't get unencrypted until it arrives at the processor. THAT's end-to-end encryption. It's confusing to refer to something else as end-to-end. The term we've heard used is middle-to-middle, which seems appropriate. Middle-to-middle is the best approach being actively deployed today so we're certainly not diminishing it. But we're not going to call it something it's not. Fair is fair. I wholeheartedly agree that we shouldn't let the perfect be the enemy of the good. But by the same token (play on words intended), we're not going to start calling "the good" by the term "the perfect" just because it will make the makers of "the good" feel better. You also expressed the concern that the story seems "to insinuate that none of these systems have been deployed." Not at all. If you read the story again, I think you'll find no such insinuation. But again, we have to be honest. We hear a lot of vendor claims and we're hearing nothing from retailers deploying. We all know why and we're not quarreling with that. But a judge has to make rulings based on what is before her, even if there might be a very good reason (trade secrets, military secrets, fear of cross-examination, self-incrimination, etc.) why those details haven't been presented. In reporting on these events, it's important to put them into context that we haven't heard about specific deployments. No one is saying that they don't exist, but until we can drill down into those details, we have to be careful about the claims being made. Editor’s Note: Thanks for the comment, Patrick, but I think you’re seeing words (or implications) that simply aren’t there.
You reference “diminishing vendors in the end-to-end space.” I can’t speak for others, but the story you referenced absolutely did not diminish anyone. It merely stood firm to some reasonable definitions. A major processor, Fifth Third, has discussed true end-to-end encryption, where the card is encrypted at the point the plastic card is manufactured and it stays encrypted through the consumer, through the retailer and doesn’t get unencrypted until it arrives at the processor. THAT’s end-to-end encryption. It’s confusing to refer to something else as end-to-end. The term we’ve heard used is middle-to-middle, which seems appropriate. Middle-to-middle is the best approach being actively deployed today so we’re certainly not diminishing it. But we’re not going to call it something it’s not. Fair is fair.
I wholeheartedly agree that we shouldn’t let the perfect be the enemy of the good. But by the same token (play on words intended), we’re not going to start calling “the good” by the term “the perfect” just because it will make the makers of “the good” feel better.
You also expressed the concern that the story seems “to insinuate that none of these systems have been deployed.” Not at all. If you read the story again, I think you’ll find no such insinuation. But again, we have to be honest. We hear a lot of vendor claims and we’re hearing nothing from retailers deploying. We all know why and we’re not quarreling with that. But a judge has to make rulings based on what is before her, even if there might be a very good reason (trade secrets, military secrets, fear of cross-examination, self-incrimination, etc.) why those details haven’t been presented. In reporting on these events, it’s important to put them into context that we haven’t heard about specific deployments. No one is saying that they don’t exist, but until we can drill down into those details, we have to be careful about the claims being made.

]]> By: Patrick Hazel http://storefrontbacktalk.com/securityfraud/everybodys-coupling-with-encryption-alliances/comment-page-1/#comment-64089 Patrick Hazel Fri, 30 Oct 2009 16:30:40 +0000 http://www.storefrontbacktalk.com/?p=4127#comment-64089 [Semtek has a commercial interest in the topic under discussion] I'm not exactly sure what point you are trying to make here, diminishing vendors in the end to end space by suggesting that they are middle to middle not end to end, etc. This battle of terminology (end to end v. point to point v. middle to middle) is completely besides the point and confuses the end game with practical progress. As long as the network end keeps consolidating towards the top, the industry is making substantial headway. Don't let the perfect be the enemy of the good! As one of our clients likes to say "as long the end is not my (rear) end, I'm in a better place." It is also a bit too cynical to insinuate the none of these systems have been deployed. Semtek, as a matter of policy, does not disclose the names of their clients and we are certainly not alone in that practice. Semtek has deployed these systems on a large scale, the installations have all passed new ROC's, and are meeting all expectations. I assume other vendors are in a similar spot. I understand that this lack of merchant identification is frustrating to journalists and analysts, but there are bigger issues at stake than who gets credit. [Semtek has a commercial interest in the topic under discussion]

I’m not exactly sure what point you are trying to make here, diminishing vendors in the end to end space by suggesting that they are middle to middle not end to end, etc. This battle of terminology (end to end v. point to point v. middle to middle) is completely besides the point and confuses the end game with practical progress. As long as the network end keeps consolidating towards the top, the industry is making substantial headway. Don’t let the perfect be the enemy of the good! As one of our clients likes to say “as long the end is not my (rear) end, I’m in a better place.”

It is also a bit too cynical to insinuate the none of these systems have been deployed. Semtek, as a matter of policy, does not disclose the names of their clients and we are certainly not alone in that practice. Semtek has deployed these systems on a large scale, the installations have all passed new ROC’s, and are meeting all expectations. I assume other vendors are in a similar spot. I understand that this lack of merchant identification is frustrating to journalists and analysts, but there are bigger issues at stake than who gets credit.

]]>