GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Holiday season warrants new pursuits


Industry Update

Congress gives interchange reformers luke warm reception

VeriFone addresses PCI enforcement confusion

First Data STARs with PayPal

Visa prefers data-field encryption

Encryption debate heads to court

Payments a strong presence at the AFP


A virtual RDC roundup

Research Rundown

Selling Prepaid

Prepaid in brief

What is stored-value?

New alternative takes flight

Top 15 tips for gift card success


War of words over interchange heats up

Patti Murphy
The Takoma Group


Street SmartsSM:
Don't let distractions hobble your business

Jon Perry and Vanessa Lang

Complexities of multicurrency processing

Caroline Hometh

Tips for new sales executives

Jeffrey I. Shavitz
Charge Card Systems Inc.

Cloud security, a weighty issue

Dale S. Laszig
DSL Direct LLC

Look ahead, prospect and prosper

Bob Schoenbauer
Capitol Payment Systems Inc.

Conducting effective meetings

Vicki M. Daughdrill
Small Business Resources LLC

Company Profile

Whitehall Capital Advisors LLC

New Products

Beefed up RDC

Tellerscan 240
Digital Check Corp.

Fortifying e-commerce with signatures

SignatureLink Inc.


Get real with expectations



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

October 26, 2009  •  Issue 09:10:02

previous next

Visa prefers data-field encryption

When Visa Inc. speaks, the payments industry listens. The world's largest card brand issued a global best practices paper that advises all merchants that accept electronic payments to consider data-field encryption technology be installed on their private networks as a necessary compliment to the Payment Card Industry (PCI) Data Security Standard (DSS).

In the paper, available at, Visa makes five main recommendations:

According to Eduardo Perez, Senior Business Leader, Payment System Risk, Visa, the card brand's announcement comes at a time when merchants are looking for guidance on what technologies should be utilized to protect data.

"Really, the intent of these best practices is to provide a foundation, or a primer, for merchants considering these solutions on how to implement them and then how to evaluate them after the fact once they've been implemented," Perez said. "So the goal here is to support merchants and ultimately [enable them] to effectively deploy the use of encryption solutions within their payment card environment."

Visa's 'end-to-end'

Data-field encryption is also known as end-to-end encryption. The technology is seen by many in the industry as a necessary safeguard against data theft since encrypted data is useless to fraudsters if they don't have the key to decrypt it.

End-to-end encryption is defined as starting at the point of swipe, when cardholder data is encrypted. That data remains encrypted as it is routed from the merchant's private network, then over the public network through to the acquirer's back-end system, where the data is decrypted for processing. But Visa said data-field encryption gives a more specific definition of what needs to be encrypted. It defines the exact cardholder information (data fields) that should be encrypted at the point of swipe. For example, the paper states that the first six digits of the primary account number need not be encrypted for routing purposes, while the middle section of numbers should be encrypted.


Visa's guidelines do not recommend merchants employ any specific end-to-end encryption technology providers or even mandate merchants to implement the technology. "What we believe is that it's one complimentary way to protect cardholder data," Perez said. "It really emphasizes the need, in fact, for proper data security, because even with encryption, entities will still be required to protect the keys and properly manage those keys, and to ultimately protect cardholder data when it is decrypted or it is in the clear."

While the PCI DSS strives for comprehensive data security - including "data at rest," meaning how it is stored, as well as "data in motion" (data being transmitted) - Visa's data-field encryption recommendation is focused primarily on protecting data in motion, according to Perez.

"Merchants are already using encryption today to meet some portions of the [PCI DSS], specifically to protect cardholder data at rest," he said. "And so this document, while it covers encryption for stored data, it also covers and emphasizes encryption of data in transit.

"That's data that we know that hackers and criminals covet, and so we felt that this was another solution that merchants should consider in combination with their PCI DSS compliance and other security efforts."

A data in motion attack is perpetrated via malware (also known as a "sniffer") - malicious software slipped inside a merchant's or processor's network that sniffs out cardholder data traveling through the network and transmits it back to fraudsters.

Public versus private

According to Tim Cranny, Chief Executive Officer of Panoptic Security Inc., the current version of the PCI DSS is focused on securing stored data or data transmitted over public networks, not on the security practices for data transmitted within merchants' private networks - from one server to another, for example.

Bob Russo, General Manager of the PCI Security Standards Council (PCI SSC), believes a layered approach to security is the best defense against data breaches.

"Which specific technologies an organization chooses to implement to meet the requirements of the DSS is discretionary," he said.

"Organizations seeking to deploy security technologies must recognize that secure implementation is as important as the decision to implement itself."

Russo reported that the PCI SSC is currently in the feedback process. The council is soliciting opinions from its members to determine how the PCI DSS will evolve. As part of that process, the PCI SSC commissioned market research firm PricewaterhouseCoopers to review the impact of emerging technologies on the scope of the PCI DSS.

The next step in the process will be a review of the research findings at the council's next community meeting, which will take place in late October 2009 in Prague, Czech Republic.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios