Visa published a set of best practices this week for end-to-end encryption in the payment card industry as work on global standards continues.
Visa released a document this week with best practices for end-to-end
encryption in a bid to help early adopters and encryption vendors
while industry standards are being developed.The document, available here,
is meant to give organizations something to think about as they
evaluate or deploy data field encryption. Essentially a stopgap until
the American National Standards Institute develops guidelines for the payment card industry, the document provides best practices in five main areas:
cleartext availability of cardholder data and sensitive authentication
data to the point of encryption and the point of decryption.
- Using robust
key management solutions consistent with international and/or regional
key-lengths and cryptographic algorithms consistent with international
and/or regional standards.-
Protecting devices used to perform cryptographic operations against
Using an alternate account or transaction identifier for business
processes that requires the primary account number to be utilized after
authorization, such as processing of recurring payments, customer
loyalty programs or fraud management."While
no single technology will completely solve fraud, data field encryption
can be an effective security layer to render cardholder data useless to
criminals in the event of a merchant data breach," said Eduardo Perez,
global head of data security at Visa, in a statement. "Using encryption
as one component of a comprehensive data security program can enhance a
merchant's security by eliminating any clear text data either in
storage or in flight."Perez added that while investing in data field encryption is valuable, it is only a compliment to compliance with
the Payment Card Industry Data Security Standard - not a replacement.
Still, there has been an increase in calls for encryption as a means to
better security, particularly as data breaches at prominent
companies have become common items in news reports. Following the
breach at Heartland Payment Systems for example, the company began
pushing for industry-wide of end-to-end encryption."Given the
interest expressed by merchants and processors, guidance from the card
brands is a critical determinant in figuring out how to move ahead with
encrypting data in transit, especially absent a global standard," said
Avivah Litan, an analyst at Gartner, in a statement. "Companies should
also be aware that if data is decrypted anywhere in their system, they
are still at risk for a data breach."
Learn how to achieve greater operational efficiency and automation in your data center networks. Read the Gartner report "Emergence of Ethernet Fabric Will Push Users to Rethink Their Data Center Physical Switch Networks" and start simplifying and automating your networks today.