The Green Sheet Online Edition
October 26, 2009 • Issue 09:10:02
Visa prefers data-field encryption
When Visa Inc. speaks, the payments industry listens. The world's largest card brand issued a global best practices paper that advises all merchants that accept electronic payments to consider data-field encryption technology be installed on their private networks as a necessary compliment to the Payment Card Industry (PCI) Data Security Standard (DSS).
In the paper, available at http://corporate.visa.com/_media/best-practices.pdf, Visa makes five main recommendations:
- Limit unencrypted (clear text) data "to point of encryption and point of decryption."
- Use robust key management that is consistent with international or regional security standards, given merchants' geographic footprints.
- Use key lengths and cryptographic algorithms consistent with the same above standards.
- Protect cryptographic devices against physical and logical (software or firmware) compromises.
- Use an alternate account or transaction identifier - such as a token in lieu of the original card number - for business processes.
According to Eduardo Perez, Senior Business Leader, Payment System Risk, Visa, the card brand's announcement comes at a time when merchants are looking for guidance on what technologies should be utilized to protect data.
"Really, the intent of these best practices is to provide a foundation, or a primer, for merchants considering these solutions on how to implement them and then how to evaluate them after the fact once they've been implemented," Perez said. "So the goal here is to support merchants and ultimately [enable them] to effectively deploy the use of encryption solutions within their payment card environment."
Data-field encryption is also known as end-to-end encryption. The technology is seen by many in the industry as a necessary safeguard against data theft since encrypted data is useless to fraudsters if they don't have the key to decrypt it.
End-to-end encryption is defined as starting at the point of swipe, when cardholder data is encrypted. That data remains encrypted as it is routed from the merchant's private network, then over the public network through to the acquirer's back-end system, where the data is decrypted for processing. But Visa said data-field encryption gives a more specific definition of what needs to be encrypted. It defines the exact cardholder information (data fields) that should be encrypted at the point of swipe. For example, the paper states that the first six digits of the primary account number need not be encrypted for routing purposes, while the middle section of numbers should be encrypted.
Visa's guidelines do not recommend merchants employ any specific end-to-end encryption technology providers or even mandate merchants to implement the technology. "What we believe is that it's one complimentary way to protect cardholder data," Perez said. "It really emphasizes the need, in fact, for proper data security, because even with encryption, entities will still be required to protect the keys and properly manage those keys, and to ultimately protect cardholder data when it is decrypted or it is in the clear."
While the PCI DSS strives for comprehensive data security - including "data at rest," meaning how it is stored, as well as "data in motion" (data being transmitted) - Visa's data-field encryption recommendation is focused primarily on protecting data in motion, according to Perez.
"Merchants are already using encryption today to meet some portions of the [PCI DSS], specifically to protect cardholder data at rest," he said. "And so this document, while it covers encryption for stored data, it also covers and emphasizes encryption of data in transit.
"That's data that we know that hackers and criminals covet, and so we felt that this was another solution that merchants should consider in combination with their PCI DSS compliance and other security efforts."
A data in motion attack is perpetrated via malware (also known as a "sniffer") - malicious software slipped inside a merchant's or processor's network that sniffs out cardholder data traveling through the network and transmits it back to fraudsters.
Public versus private
According to Tim Cranny, Chief Executive Officer of Panoptic Security Inc., the current version of the PCI DSS is focused on securing stored data or data transmitted over public networks, not on the security practices for data transmitted within merchants' private networks - from one server to another, for example.
Bob Russo, General Manager of the PCI Security Standards Council (PCI SSC), believes a layered approach to security is the best defense against data breaches.
"Which specific technologies an organization chooses to implement to meet the requirements of the DSS is discretionary," he said.
"Organizations seeking to deploy security technologies must recognize that secure implementation is as important as the decision to implement itself."
Russo reported that the PCI SSC is currently in the feedback process. The council is soliciting opinions from its members to determine how the PCI DSS will evolve. As part of that process, the PCI SSC commissioned market research firm PricewaterhouseCoopers to review the impact of emerging technologies on the scope of the PCI DSS.
The next step in the process will be a review of the research findings at the council's next community meeting, which will take place in late October 2009 in Prague, Czech Republic.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.