"While no single technology will completely solve for fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach," said Eduardo Perez, global head of data security, Visa Inc. "Using encryption as one component of a comprehensive data security program can enhance a merchant's security by eliminating any clear text data either in storage or in flight." he added.
In addition to issuing encryption best practices, Visa has led efforts to develop a much needed industry data field encryption standard as chair of the ANSI X9F6 standards working group. Establishing industry wide standards are essential for ensuring that emerging encryption solutions are open, consistent and enable merchant choice. X9 is the ANSI accredited committee for financial services that is focused on "standardization for facilitating banking operations." Membership includes financial institutions, vendors, insurance companies, associations, retailers and regulators.
"Given the interest expressed by merchants and processors, guidance from the card brands is a critical determinant in figuring out how to move ahead with encrypting data in transit, especially absent a global standard," said Avivah Litan, Vice President and Distinguished Analyst, Gartner Inc. "Companies should also be aware that if data is decrypted anywhere in their system, they are still at risk for a data breach."
Visa's best practices are designed to help organizations:
It's important to note, that sensitive authentication data such as full contents of the magnetic strip, CVV2, PIN/PIN block should not be used for any purpose other than payment authorization and may not be stored after authorization, even if encrypted.
While data field encryption applies after the card is swiped and throughout the merchant's environment, encryption solutions between acquirer processors and Visa, would further reduce the value of card data to criminals. Visa accepts encrypted transaction data from acquirers, third-party processors and merchants directly connected to VisaNet. Visa has offered an authorization and settlement encryption solution since early 2008, and the service is available to direct connect clients
"Investing in data field encryption is valuable, but should be understood as a complement rather than a replacement for PCI DSS compliance, which remains the best protection against a data compromise," Perez concluded.
# # #
About Visa Inc.: Visa Inc. operates the world's largest retail electronic payments network providing processing services and payment product platforms. This includes consumer credit, debit, prepaid and commercial payments, which are offered under the Visa, Visa Electron, Interlink and PLUS brands. Visa enjoys unsurpassed acceptance around the world, and Visa/PLUS is one of the world's largest global ATM networks, offering cash access in local currency in more than 200 countries and territories. For more information, visit www.corporate.visa.com. Inc.
Sandra Chu Visa Inc. Tel: +1 415 932 2564 E-mail: [email protected]
Jay Hopkins CRC Public Relations, for Visa Inc. 703.683.5004 ext. 107 [email protected]