October 05, 2009

Visa creates guidance for merchants wanting to encrypt

Visa on Monday released a best practices document for merchants considering adoption of end-to-end encryption, an emerging technology used to mask cardholder data from point-of-swipe through processing.

The guidance is meant to fill a temporary void until industry standards are established by the American National Standards Institute, Jennifer Fischer, senior business leader in Visa's payment system risk division, told SCMagazineUS.com on Monday.

"We felt it was important to provide [help] for those companies clearly looking for guidance today," she said. "I think a lot of merchants are looking for that next solution that is going to be a longer-term data security step."

The document calls on merchants to achieve five goals when deploying end-to-end, or data field, encryption: Limit clear-text cardholder and authentication data, use robust key management solutions that meet international standards, use recognized cryptographic algorithms, protect devices used to perform cryptographic functions and consider technologies, such as tokenization, that replace card numbers that must be stored with unique identifiers.

Visa does not require any merchants to store card numbers, but some merchants require it for certain business functions, such as recurring subscriptions, Fischer said. Meanwhile, some acquiring banks/processors mandate that their retail customers store the numbers for processes such as chargebacks.

Avivah Litan, Gartner vice president and distinguished analyst, said Monday that more merchants are investigating the merits of end-to-end encryption. Some are considering it as a means for preventing data breaches, but most are looking at it as a way to reduce the number of requirements of the Payment Card Industry Data Security Standard (PCI DSS) that they must meet.

"I just had a call with a major global retailer today," Litan told SCMagazineUS.com on Monday. "They all want to limit the scope of PCI DSS compliance. They want a reduced set of requirements."

The PCI Security Standards Council, which manages the guidelines, is reviewing a report from PricewaterhouseCoopers that investigated a number of emerging technologies that could be used to reduce PCI compliance scope. The next version of the PCI DSS is due out late next year.

Related Articles
Related Topics
Related Links

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.