Visa released a document this week with best practices for end-to-end encryption in a bid to help early adopters and encryption vendors while industry standards are being developed.
The document, available here, is meant to give organizations something to think about as they evaluate or deploy data field encryption. Essentially a stopgap until the American National Standards Institute develops guidelines for the payment card industry, the document provides best practices in five main areas:
- Limiting cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption.
- Using robust key management solutions consistent with international and/or regional standards.
- Using key-lengths and cryptographic algorithms consistent with international and/or regional standards.
- Protecting devices used to perform cryptographic operations against physical/logical compromises.
- Using an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.
"While no single technology will completely solve fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach," said Eduardo Perez, global head of data security at Visa, in a statement. "Using encryption as one component of a comprehensive data security program can enhance a merchant's security by eliminating any clear text data either in storage or in flight."
Perez added that while investing in data field encryption is valuable, it is only a compliment to compliance with the Payment Card Industry Data Security Standard - not a replacement. Still, there has been an increase in calls for encryption as a means to better security, particularly as data breaches at prominent companies have become common items in news reports. Following the breach at Heartland Payment Systems for example, the company began pushing for industry-wide of end-to-end encryption.
"Given the interest expressed by merchants and processors, guidance from the card brands is a critical determinant in figuring out how to move ahead with encrypting data in transit, especially absent a global standard," said Avivah Litan, an analyst at Gartner, in a statement. "Companies should also be aware that if data is decrypted anywhere in their system, they are still at risk for a data breach."