Visa is preparing to launch an encryption service designed to help merchants, acquirers and processors protect cardholder data.
if this is "complementary" to EMV, it follows that it must be providing more security than EMV does by itself, and in doing so it is protecting against potential EMV data breach risks.
What exactly are the EMV data breach risks that end-to-end encryption will mitigate? Are we being led up the PCI-DSS garden path by the nose once again? Or am I just being stupid?
No, you're not being stupid David, but maybe Visa is :-).
Sounds like Visa is not trusting that their merchants are being PCI-DSS compliant, as one of the requirements is encryption. So, they are helping out by launching the service. Encryption is needed and useful. Some retailers at the POS do not encrypt the
transaction and they move the data from POS to register to a main computer with wireless technology, then they encrypt it, or not. Many smaller merchants are not usually sophisticated or knowledgeable or have the staff to do this themselves. So, this is a
good thing for Visa to offer. Of course, there is more to compliance that encryption, and while nothing will save us from stupidity or mistakes, this is a step in the right direction.
The extra security being provided is to protect the PAN while it is in transit and defend against threats like skimming. It is a common misconception that EMV will protect the PAN - it does not. The PAN continues to be transmitted in the clear. For a couple
of years Visa has been pushing EMV as if it were a silver bullet, but while it will greatly help with lost or stolen and counterfeit card fraud, the risk of stored data breaches will remain. This is a significant admission from Visa that other threats must
be considered and defended against with a layered security approach. The next logical step is to mandate both encryption and tokenization, because encryption provides excellent protection of the cardholder data in transit but tokenization is a superior solution
for protecting cardholder data at rest or data in use.
Looks like the guys at First Data smell a sales opportunity - sell the buggers some encryption and whilst we're at it, bundle in some tokenisation. Just tell 'em the PAN is at risk, talk about skimming in the sales blurb and there you go, no one will know
any better and we'll be quids in!
They certainly don't seem to have grasped EMV.
© Finextra Research 2016