Visa Announces New Data Encryption Practices

Data Field Encryption Touted as Supplement to Current Measures Visa has announced new global best practices for data field encryption, also known as end-to-end encryption - a much-discussed solution in the wake of the Heartland Payment Systems breach.

Announced by the global credit card company on Monday, these best practices are designed to further the payment industry's efforts to develop a common, open standard while providing guidance to encryption vendors and early adopters. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the "clear."

Visa's Jennifer Fischer, senior business leader in the card company's risk area, says encryption is not being touted as a silver bullet for anyone, "But we see it as a way to supplement and help, in many cases, augment existing security measures."

Data field encryption can be another layer to enhance a merchant's security by eliminating any clear text data either in storage or in flight.

In addition to issuing these encryption best practices, Visa is chair of the ANSI X9F6 standards working group and is helping to develop a much-needed industry data field encryption standard. Fischer notes that Visa is also working with the Payment Card Industry Security Standards Council in reviewing its recent study by PriceWaterhouseCooper on emerging technologies use in the payments industry. Encryption was cited as one of the top four emerging technologies being looked at within the payment stream to protect data.

Fischer says while standards are being worked out, "These best practices help merchants, vendors and others by bringing together best practices that are already out there."

Visa's best practices are designed to help organizations:

Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption;
Use robust key management solutions consistent with international and/or regional standards;
Use key-lengths and cryptographic algorithms consistent with international and/or regional standards;
Protect devices used to perform cryptographic operations against physical/logical compromises;
Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.

It's important to note, that sensitive authentication data such as full contents of the magnetic strip, CVV2, PIN/PIN block should not be used for any purpose other than payment authorization and may not be stored after authorization, even if encrypted.

While data field encryption applies after the card is swiped and throughout the merchant's environment, encryption solutions between acquirer processors and Visa would further reduce the value of card data to criminals.

Visa accepts encrypted transaction data from acquirers, third-party processors and merchants directly connected to VisaNet. Visa has offered an authorization and settlement encryption solution since early 2008, and the service is available to direct connect clients.

Fischer points out that encryption is only one layer of security and should not be viewed as a replacement to PCI-DSS. "Merchants considering encryption need to weigh the pros and cons of this for their business, and at this point is it up to individual merchants to decide if it is compatible with their existing security set up," she says.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.