Litan notes that end-to-end encryption has already gotten underway in Spain among merchants and their processors. One element critical to its success there, she says, is keeping encryption key management simple for merchants.

In the United States today there is no established standard for end-to-end encryption of payment-processing networks. But Heartland is hoping to rally the industry around one based on the Advanced Encryption Standard (AES) that it's proposing to the Accredited Standards Committee X9 (ASC X9) in early June.

Accredited by the American National Standards Institute (ANSI) to work on standards for the financial-services industry, ASC X9 is expected to take up work on developing a new standard to protect cardholder data. But that could take years, Carr points out, and in the meantime the cyber-crooks aren't standing still.

Carr acknowledges that Heartland's plans to defend its network through encryption and its own ideas about an end-to-end encryption standard may not be fully in sync with current requirements for card security set by the . 

This Wakefield, Mass., organization for several years has established technical security standards known as the PCI Data Security Standard set, which are referenced by banks and card associations, such as Visa and MasterCard, often as part of annual security reviews of any business handling payment cards.