End-to-end encryption in on-line payment systems: The industry reluctance and the role of laws

Various security breaches at third-party payment processors show that online payment systems are the primary target for cyber-criminals. In general, the security of online payment systems relies on a number of factors, namely technical factors, processing factors, and legal factors. The industry gives its best endeavors to strengthen the technical and processing factors, while the government has been called upon to improve the legal factors. However, a breach of consumer's data and financial losses resulting from such a breach keep occurring. Findings from the forensic audit show that most online payment systems, such as those using credit and debit cards as their instruments, have a weak point leaving the systems vulnerable to hacking. This weak point concerns the so-called financial data in transit that are not fully encrypted. Encryption is indeed employed within the systems, but only on certain networks. Industry’s standard reflected by code of conducts only obliges the players to encrypt the financial data transmitted on the public network, and not on their private networks. On top of that, laws and regulations are often in a vacuum to regulate the encryption. Thus, although seen as the strongest method so far to prevent the breach, end-to-end encryption has not entirely been implemented. Why does the industry seem to be reluctant in implementing end-to-end encryption? What do laws rule on this and would it be appropriate for the law to rule such obligation for the sake of consumer protection? This paper tries to shed a light on these issues. To investigate the industry reluctance, this paper discusses security of online payment systems and the nature of the retail payment systems. As for the laws and regulatory frameworks, this paper outlines and focuses on the EU level. Online payment systems using credit or debit cards are used as the main example in this paper as such methods have much more matured compared to the others. However, special attention on the innovative payments such as mobile payments and virtual currencies will be drawn as the security issues of such innovative payments have given rise to regulatory challenges.