Visa issues guidelines for data field encryption
09 March 2010 | 5552 views | 0
Visa Europe, Europe's leading payment system, today launched the industry's first guidance for data field encryption solutions by providing the minimum security practices needed to help support Payment Card Industry Data Security Standard (DSS) compliance.
The guidelines are based on best practices developed by Visa Europe that will help merchants and other stakeholders in the payments process to evaluate data field encryption solutions. These technologies can help secure card data when it is either being stored or moved and render it useless to fraudsters in the event of a data compromise.
The best practices are based on the following basic security objectives:
· Cardholder and authentication data should only be available at the points of encryption and decryption
· Encryption key management solutions should follow international and/or regional standards
· Key lengths and cryptographic algorithms should follow international and/or regional standards
· Devices used to perform cryptographic operations should be independently assessed to ensure they are protected against compromise
· If cardholder data is needed after authorisation (for example when processing recurring payments, customer loyalty programmes or in fraud management), a transaction ID or token should be used instead of the data itself
A recent survey by Thales found that 60% of Qualified Security Assessors believe encryption is the most effective means to protect card data. Similarly, an independent report in April 2009 by PricewaterhouseCoopers concluded that data field encryption has the greatest potential as a solution for retailers aiming for PCI DSS compliance.
While some retailers, merchants and banks have been implementing PCI DSS compliance programmes to utilise data field encryption, uncertainty around how best to adopt it has slowed progress.
Visa Europe's guidelines are designed to provide guidance by describing minimal security practices required to design a robust data field encryption solution that can help satisfy PCI DSS compliance requirements, while reducing the cost of maintaining compliance and offering the flexibility needed to complement existing security mement existment existing security measures. With the globally recognised security procedures common to transaction security systems at its core, the guidelines help to support consistent adoption across the industry.
Stanley Skoglund, Senior Vice President Payment System Risk at Visa Europe, said: "While fraud remains at historically low levels, Visa Europe is committed to working with all parties in the payment system to ensure greater levels of security; and supporting those for whom technologies such as data field encryption and tokenisation are suitable for. We have seen considerable innovation with respect to financial institutions and their customers wishing to strengthen their defences against data compromises."
He continued, "We and the other members of the PCI Security Standards Council have worked hard to spur the adoption of compliant systems and we view the adoption of common guidelines on data field encryption as a complementary step in increasing the protection offered to retailers and consumers through PCI DSS."
Neira Jones, Head of Payment Security at Barclaycard Global Payment Acceptance said, "Barclaycard sees the guidelines as a big step forward in progressing the development and certification of solutions which will help retailers reducing the scope of PCI DSS compliance. Barclaycard is a member of the PCI SSC Advisory Board and is working with key stakeholders in the industry to make PCI DSS compliance easier for the benefit of our customers and the industry as a whole."
Chris K Davies, Chief Operating Officer at HSBC Merchant Services said, "We fully endorse these guidelines from Visa Europe and feel that they will make a significant contribution to simplifying the challenges faced by our merchants whilst they develop their systems to become PCI DSS compliant. Any guidelines that will further reduce the appeal for fraudsters to target card holder information can only be a positive step forward".