Voltage Security, the global leader in end-to-end data protection, today announced that Cryptographic Assurance Services, LLC (CAS), a leader in cryptographic compliance consulting, has completed an independent security review of Voltage's innovative Format-Preserving Encryption used in numerous end-to-end encryption implementations around the world.
Voltage End-to-End Encryption, part of the Voltage SecureData product line, conforms to the complete list of Visa's global industry best practices for data field encryption, published on October 5th, 2009. The Visa best practices are designed to further the payment industry's efforts to develop a common, open standard while providing guidance to encryption vendors and early adopters. Data field encryption, also known as end-to-end encryption, protects card information from the swipe to the acquirer processor so that the merchant is no longer processing or transmitting card data in the "clear."
CAS was asked to evaluate Format-Preserving Encryption (FPE) as a mode of the Advanced Encryption Standard (AES). CAS evaluated the mathematical model on which it was based and the associated proofs of security. CAS also reviewed a source-code instantiation of FPE provided by Voltage Security. CAS identified applicable compliance regimes and assessed FPE against them.
In its finding, CAS noted the large body of cryptographic research on which FPE is based, accumulated over decades, and the strength of the mathematical proofs and cryptanalysis. CAS concluded that FPE as implemented in the form of the AES mode FFX3 meets the compliance criteria for PCI DSS v1.2 encryption requirements and for Visa's Data Field Encryption requirements, making Voltage Security's Format-Preserving Encryption solutions suitable for use by organizations needing to comply. AES mode FFSEM is a sub mode of AES mode FFX and included in this assessment.