Perimeter
8/21/2012
11:04 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Visa To Launch Encryption Service to Help Protect Sensitive Cardholder Data And Improve Merchant Security

Visa encryption service to be available to merchants, acquirers, and processors in 2013

SAN FRANCISCO, Aug. 21, 2012 /PRNewswire/ -- Visa Inc. (NYSE: V) today announced a new service, Visa Merchant Data Secure with Point-to-Point Encryption, to help acquirers and their merchants protect payment card data. Visa will make the service available to acquirers and their merchants by early 2013. Visa is currently working with acquirers, processors and payment technology vendors to provide specifications for integrating Visa's solution into payment terminals as well as into all critical systems across the payment processing industry.

Point-to-point encryption (P2PE) technology helps merchants and acquirers protect payment card data within their systems by encrypting sensitive cardholder information. Because the card data can only be accessed, or unscrambled, with decryption keys held securely by the acquirer, gateway or Visa, cardholder information is protected within the payment processing environment.

"Merchants large and small have expressed an interest in encryption as a way to protect cardholder data in their payment systems and simplify their security protocols," said Ellen Richey, Chief Enterprise Risk Officer, Visa Inc. "Since encrypted data can't be used to commit fraud, Visa's point-to-point encryption solution can significantly reduce the risk and impact of data compromises."

This solution is part of Visa's broader authentication strategy which aims to improve payment industry security by eliminating account data from the payment environment whenever possible, protecting sensitive information wherever it is stored, processed or transmitted, and devaluing stolen account information through dynamic authentication solutions such as EMV chip technology. P2PE technology is complementary to EMV chip technology, by providing an added layer of protection against the threat of data breaches, especially as the industry works to reach critical mass in the adoption of chip terminals and chip cards to benefit from EMV's defense against counterfeit fraud.

"With Visa's global processing reach and capabilities, we are able to provide an encryption solution that meets the needs of merchants and acquirers who want ease of implementation, flexibility, and effective protection," said Darren Parslow, Global Head of Processing, Visa Inc. "Working in concert, multiple layers of security including point-to-point encryption can help take merchants out of harm's way while mitigating fraud throughout the payment system."

Visa Merchant Data Secure with Point-to-Point Encryption addresses several key merchant and acquirer concerns about encryption:

-- Minimal impact to payment processing systems. Merchants and acquirers can adopt point-to-point encryption with ease because of the minimal impact to existing payment systems. To make the transition as easy as possible, Visa will also offer a "format preserving" option, enabling merchants to integrate point-to-point encryption using a 16-digit encrypted value with their current systems. -- Consistent, open encryption standard. Visa's encryption solution relies on the same Triple Data Encryption Standard (TDES) and Derived Unique Key per Transaction (DUKPT) key management that are used to encrypt PINs today. This provides a consistent framework for managing keys and minimizes the impact of merchant system updates. -- Multi-zone encryption. Visa's solution allows for encryption and decryption in multiple zones, providing merchants and acquirers flexibility in how to deploy encryption within their unique environments. Multi-zone encryption can facilitate routing to multiple endpoints, if the merchant is using multiple processors, consistent with how PIN encryption is managed today. In 2009, Visa developed global industry best practices for encryption to provide guidance to encryption vendors and early adopters. Visa's encryption service is designed to meet Visa best practices as well as the PCI Security Standards Council's P2PE Solution Requirements for reducing the scope of PCI compliance requirements. Visa expects to validate the P2PE service against the PCI requirements by the time it is available to merchants.

Over the coming months, Visa will provide specifications and implementation guides through technical review agreements. Payment technology vendors with PCI P2PE-enabled systems that are interested in supporting the Visa P2PE service should contact P2PE@visa.com for more information.

About Visa Inc.: Visa Inc. is a global payments technology company that connects consumers, businesses, financial institutions and governments in more than 200 countries and territories to fast, secure and reliable digital currency. Underpinning digital currency is one of the world's most advanced processing networks--VisaNet--that is capable of handling more than 20,000 transaction messages a second, with fraud protection for consumers and guaranteed payment for merchants. Visa is not a bank and does not issue cards, extend credit or set rates and fees for consumers. Visa's innovations, however, enable its financial institution customers to offer consumers more choices: pay now with debit, ahead of time with prepaid or later with credit products. For more information, visit www.corporate.visa.com.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web