Visa Announces New Data Encryption Practices
Data Field Encryption Touted as Supplement to Current Measures Visa has announced new global best practices for data field encryption, also known as end-to-end encryption - a much-discussed solution in the wake of the Heartland Payment Systems breach.Announced by the global credit card company on Monday, these best practices are designed to further the payment industry's efforts to develop a common, open standard while providing guidance to encryption vendors and early adopters. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the "clear."
Visa's Jennifer Fischer, senior business leader in the card company's risk area, says encryption is not being touted as a silver bullet for anyone, "But we see it as a way to supplement and help, in many cases, augment existing security measures."
Data field encryption can be another layer to enhance a merchant's security by eliminating any clear text data either in storage or in flight.
In addition to issuing these encryption best practices, Visa is chair of the ANSI X9F6 standards working group and is helping to develop a much-needed industry data field encryption standard. Fischer notes that Visa is also working with the Payment Card Industry Security Standards Council in reviewing its recent study by PriceWaterhouseCooper on emerging technologies use in the payments industry. Encryption was cited as one of the top four emerging technologies being looked at within the payment stream to protect data.
Fischer says while standards are being worked out, "These best practices help merchants, vendors and others by bringing together best practices that are already out there."
Visa's best practices are designed to help organizations:
It's important to note, that sensitive authentication data such as full contents of the magnetic strip, CVV2, PIN/PIN block should not be used for any purpose other than payment authorization and may not be stored after authorization, even if encrypted.
While data field encryption applies after the card is swiped and throughout the merchant's environment, encryption solutions between acquirer processors and Visa would further reduce the value of card data to criminals.
Visa accepts encrypted transaction data from acquirers, third-party processors and merchants directly connected to VisaNet. Visa has offered an authorization and settlement encryption solution since early 2008, and the service is available to direct connect clients.
Fischer points out that encryption is only one layer of security and should not be viewed as a replacement to PCI-DSS. "Merchants considering encryption need to weigh the pros and cons of this for their business, and at this point is it up to individual merchants to decide if it is compatible with their existing security set up," she says.