What Is End-to-End Encryption and Why You Really Need It

In 2018, there were more than 600 data breaches in the U.S. that put customers’ information at risk. And studies show that anywhere from 43 to 60 percent of cyber attacks are those that target small and midsize businesses.

There are a number of data security measures that small businesses should put in place to protect their businesses (and customer information) against attacks. One of those is working with partners and using products that employ end-to-end encryption (E2EE).

Square E-Commerce

Sell more online with Square’s e-commerce solutions.

What is end-to-end encryption?

End-to-end encryption is a secure line of communication that blocks third-party users from accessing transferred data. When the data is being transferred online, only the sender and recipient can decrypt it with a key. In that way, E2EE can help mitigate risk and protect sensitive information by blocking third parties from accessing user data when data is transferred from one source to another.

So, how does E2EE work?

At the basic level, encryption starts with cryptography. Cryptography, which is the art of writing code, is used to generate the codes that keep the information encrypted.

To transfer the data, the sender uses an encryption key, which scrambles the information. Only a recipient with the corresponding key can unscramble the data. There are two types of keys available: asymmetric and symmetric encryption.

Let’s look at this in terms of payments. When a consumer uses a credit card at a business, the data from that card is encrypted as soon as the data enters the payment system at a point of sale. It remains encrypted until it reaches the processor or acquirer and is then decrypted.

What are asymmetric and symmetric encryption?

Symmetric encryption, the more conventional mode of encryption, uses the same key to encode and decode information.

Asymmetric encryption utilizes two keys to unlock encrypted information. This is a newer, more complex version of encryption, with a public and a private key. The public key is in fact public, for anyone to use to send a message, but the private key is held by the owner to protect it.

What are the benefits and challenges of E2EE?

One pro of end-to-end encryption is that it’s a security measure that’s built in to your hardware and software. You don’t have to think about it. Your data is protected and no one can access it except the intended recipient.

But there are challenges that come with E2EE. Mainly, while it protects information being transmitted from one recipient to another, it doesn’t protect those endpoints.

For example, your email uses end-to-end encryption to send messages, but that doesn’t stop a bad actor from trying to access the endpoint—your inbox.

Square not only encrypts payments with E2EE but also uses two-factor authentication to protect business owners’ accounts.

What are other methods to keep your data safe?

Beyond E2EE, there are other types of data encryption:

  • Secure Sockets Layer (SSL) is the more modern version of Transport Layer Security (TLS), and it’s the standard for protecting data on the web. You’ll see URLs that start with https:// instead of http://. The extra “s” stands for “secure.” This layer of security helps protect your business at the very high level on your website, and also signals to customers that you are protecting them.
  • Tokenization means you’re substituting a sensitive data element with a non-sensitive equivalent, referred to as a token. The token has no meaning or value; it just helps map you back to the sensitive data. This helps keep your business safe because it is harder for hackers to define the token since it has no meaning or value.
  • An elliptic curve integrated encryption scheme (ECIES) is a system that independently derives a bulk encryption key and a MAC (message authentication code) key from a “common secret.” The data is encrypted under a symmetric cipher. Then the cipher is encrypted under a MAC.

Why do you need to keep your data secure?

Data security is essential to protecting customers’ private information such as passwords, debit or credit card information, mailing addresses, or birthdays. Data security measures — such as using products and services that employ encryption — mitigate the risk of a breach.

A study by the U.S. National Cyber Security Alliance found that 60 percent of all small businesses that suffer a cyber attack go out of business within six months of the breach. Financial difficulties are often fallout from a data breach — it takes money to recover, but also often customers are slow to come back.

How Square provides end-to-end encryption

Having the right software is a crucial big and first step to protecting your customers’ data.
Square has software built in-house to secure data every time a payment is made at your store.

To protect Square account holders and their customers, all information entered by our customers is encrypted and submitted to our servers securely. Square also provides physical and network security, web and client application, and organizational security.

Here are some of the key highlights of Square’s offerings:

  • Fully encrypted: Square performs data encryption within the card reader at the moment of swipe. Sensitive data is encrypted using industry-standard methods when stored on disk or transmitted over public networks.
  • Secure data transfer: Only standard, well-reviewed cryptographic protocols and message formats (such as SSL and PGP) are used when transferring data. Security updates and patches are installed on servers and equipment in a timely fashion.
  • PCI compliance: Card-processing systems adhere to PCI Data Security Standard (PCI-DSS), Level 1. Card numbers, magnetic-stripe data, and security codes are not stored on Square client devices.
  • Data control: Access to sensitive data, including application data and cryptographic keys, is strictly controlled on a need-to-know basis. Two-factor authentication and strong password controls are required for administrative access to systems.
  • Preparedness: Detailed incident response plans have been prepared to ensure proper protection of data in an emergency.

Related Articles
Payment Tokenization Explained
What is Two Factor Authentication And How Does It Protect Your Business?
A Guide To PCI Compliance