Visa creates guidance for merchants wanting to encrypt
Visa on Monday released a best practices document for merchants considering adoption of end-to-end encryption, an emerging technology used to mask cardholder data from point-of-swipe through processing.
The guidance is meant to fill a temporary void until industry standards are established by the American National Standards Institute, Jennifer Fischer, senior business leader in Visa's payment system risk division, told SCMagazineUS.com on Monday.
"We felt it was important to provide [help] for those companies clearly looking for guidance today," she said. "I think a lot of merchants are looking for that next solution that is going to be a longer-term data security step."
The document calls on merchants to achieve five goals when deploying end-to-end, or data field, encryption: Limit clear-text cardholder and authentication data, use robust key management solutions that meet international standards, use recognized cryptographic algorithms, protect devices used to perform cryptographic functions and consider technologies, such as tokenization, that replace card numbers that must be stored with unique identifiers.
Visa does not require any merchants to store card numbers, but some merchants require it for certain business functions, such as recurring subscriptions, Fischer said. Meanwhile, some acquiring banks/processors mandate that their retail customers store the numbers for processes such as chargebacks.
Avivah Litan, Gartner vice president and distinguished analyst, said Monday that more merchants are investigating the merits of end-to-end encryption. Some are considering it as a means for preventing data breaches, but most are looking at it as a way to reduce the number of requirements of the Payment Card Industry Data Security Standard (PCI DSS) that they must meet.
"I just had a call with a major global retailer today," Litan told SCMagazineUS.com on Monday. "They all want to limit the scope of PCI DSS compliance. They want a reduced set of requirements."
The PCI Security Standards Council, which manages the guidelines, is reviewing a report from PricewaterhouseCoopers that investigated a number of emerging technologies that could be used to reduce PCI compliance scope. The next version of the PCI DSS is due out late next year.