Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/21/2012
11:04 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Visa To Launch Encryption Service to Help Protect Sensitive Cardholder Data And Improve Merchant Security

Visa encryption service to be available to merchants, acquirers, and processors in 2013

SAN FRANCISCO, Aug. 21, 2012 /PRNewswire/ -- Visa Inc. (NYSE: V) today announced a new service, Visa Merchant Data Secure with Point-to-Point Encryption, to help acquirers and their merchants protect payment card data. Visa will make the service available to acquirers and their merchants by early 2013. Visa is currently working with acquirers, processors and payment technology vendors to provide specifications for integrating Visa's solution into payment terminals as well as into all critical systems across the payment processing industry.

Point-to-point encryption (P2PE) technology helps merchants and acquirers protect payment card data within their systems by encrypting sensitive cardholder information. Because the card data can only be accessed, or unscrambled, with decryption keys held securely by the acquirer, gateway or Visa, cardholder information is protected within the payment processing environment.

"Merchants large and small have expressed an interest in encryption as a way to protect cardholder data in their payment systems and simplify their security protocols," said Ellen Richey, Chief Enterprise Risk Officer, Visa Inc. "Since encrypted data can't be used to commit fraud, Visa's point-to-point encryption solution can significantly reduce the risk and impact of data compromises."

This solution is part of Visa's broader authentication strategy which aims to improve payment industry security by eliminating account data from the payment environment whenever possible, protecting sensitive information wherever it is stored, processed or transmitted, and devaluing stolen account information through dynamic authentication solutions such as EMV chip technology. P2PE technology is complementary to EMV chip technology, by providing an added layer of protection against the threat of data breaches, especially as the industry works to reach critical mass in the adoption of chip terminals and chip cards to benefit from EMV's defense against counterfeit fraud.

"With Visa's global processing reach and capabilities, we are able to provide an encryption solution that meets the needs of merchants and acquirers who want ease of implementation, flexibility, and effective protection," said Darren Parslow, Global Head of Processing, Visa Inc. "Working in concert, multiple layers of security including point-to-point encryption can help take merchants out of harm's way while mitigating fraud throughout the payment system."

Visa Merchant Data Secure with Point-to-Point Encryption addresses several key merchant and acquirer concerns about encryption:

-- Minimal impact to payment processing systems. Merchants and acquirers can adopt point-to-point encryption with ease because of the minimal impact to existing payment systems. To make the transition as easy as possible, Visa will also offer a "format preserving" option, enabling merchants to integrate point-to-point encryption using a 16-digit encrypted value with their current systems. -- Consistent, open encryption standard. Visa's encryption solution relies on the same Triple Data Encryption Standard (TDES) and Derived Unique Key per Transaction (DUKPT) key management that are used to encrypt PINs today. This provides a consistent framework for managing keys and minimizes the impact of merchant system updates. -- Multi-zone encryption. Visa's solution allows for encryption and decryption in multiple zones, providing merchants and acquirers flexibility in how to deploy encryption within their unique environments. Multi-zone encryption can facilitate routing to multiple endpoints, if the merchant is using multiple processors, consistent with how PIN encryption is managed today. In 2009, Visa developed global industry best practices for encryption to provide guidance to encryption vendors and early adopters. Visa's encryption service is designed to meet Visa best practices as well as the PCI Security Standards Council's P2PE Solution Requirements for reducing the scope of PCI compliance requirements. Visa expects to validate the P2PE service against the PCI requirements by the time it is available to merchants.

Over the coming months, Visa will provide specifications and implementation guides through technical review agreements. Payment technology vendors with PCI P2PE-enabled systems that are interested in supporting the Visa P2PE service should contact [email protected] for more information.

About Visa Inc.: Visa Inc. is a global payments technology company that connects consumers, businesses, financial institutions and governments in more than 200 countries and territories to fast, secure and reliable digital currency. Underpinning digital currency is one of the world's most advanced processing networks--VisaNet--that is capable of handling more than 20,000 transaction messages a second, with fraud protection for consumers and guaranteed payment for merchants. Visa is not a bank and does not issue cards, extend credit or set rates and fees for consumers. Visa's innovations, however, enable its financial institution customers to offer consumers more choices: pay now with debit, ahead of time with prepaid or later with credit products. For more information, visit www.corporate.visa.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4682
PUBLISHED: 2021-01-28
IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization of trusted data. An attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 186509.
CVE-2020-4888
PUBLISHED: 2021-01-28
IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker co...
CVE-2020-13569
PUBLISHED: 2021-01-28
A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can...
CVE-2021-20620
PUBLISHED: 2021-01-28
Cross-site scripting vulnerability in Aterm WF800HP firmware Ver1.0.9 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.
CVE-2021-20621
PUBLISHED: 2021-01-28
Cross-site request forgery (CSRF) vulnerability in Aterm WG2600HP firmware Ver1.0.2 and earlier, and Aterm WG2600HP2 firmware Ver1.0.2 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.