Nov/Dec Issue
Industry’s first data field encryption specification guidelines released
March 9, 2010
Visa Europe issues minimum security guidelines for the secure implementation of data field encryption solutions
Visa Europe has launched the industry’s first guidance for data field encryption solutions by providing the minimum security practices needed to help support Payment Card Industry Data Security Standard (DSS) compliance.
The guidelines are based on best practices developed by Visa Europe that the payment provider said would help merchants and other stakeholders in the payments process to evaluate data field encryption solutions. It added these technologies could help secure card data when it is either being stored or moved and render it useless to fraudsters in the event of a data compromise.
Additional compliance requirements
The best practices are based on the following basic security objectives:
· Cardholder and authentication data should only be available at the points of encryption and decryption;
· Encryption key management solutions should follow international and/or regional standards;
· Key lengths and cryptographic algorithms should follow international and/or regional standards;
· Devices used to perform cryptographic operations should be independently assessed to ensure they are protected against compromise;
· If cardholder data is needed after authorisation (for example, when processing recurring payments, customer loyalty programmes or in fraud management), a transaction ID or token should be used instead of the data itself.
A recent survey by Thales found that 60% of Qualified Security Assessors believed encryption is the most effective means to protect card data. Similarly, an independent report in April 2009 by PricewaterhouseCoopers concluded that data field encryption had the greatest potential as a solution for retailers aiming for PCI DSS compliance.
While some retailers, merchants and banks have been implementing PCI DSS compliance programmes to utilise data field encryption, uncertainty around how best to adopt it has slowed progress.
Visa Europe’s guidelines are designed to provide guidance by describing minimal security practices required to design a robust data field encryption solution that can help satisfy PCI DSS compliance requirements, while reducing the cost of maintaining compliance and offering the flexibility needed to complement existing security measures. With the globally recognised security procedures common to transaction security systems at its core, the guidelines are hoped to help support consistent adoption across the industry.
Payment industry support solid
Stanley Skoglund, payment system risk senior vice president at Visa Europe, said: “While fraud remains at historically low levels, Visa Europe is committed to working with all parties in the payment system to ensure greater levels of security; and supporting those for whom technologies such as data field encryption and tokenisation are suitable for. We have seen considerable innovation with respect to financial institutions and their customers wishing to strengthen their defences against data compromises.”
He continued: “We and the other members of the PCI Security Standards Council have worked hard to spur the adoption of compliant systems and we view the adoption of common guidelines on data field encryption as a complementary step in increasing the protection offered to retailers and consumers through PCI DSS.”
Neira Jones, head of payment security at Barclaycard Global Payment Acceptance said: "Barclaycard sees the guidelines as a big step forward in progressing the development and certification of solutions which will help retailers reducing the scope of PCI DSS compliance. Barclaycard is a member of the PCI SSC [Security Standards Council] Advisory Board and is working with key stakeholders in the industry to make PCI DSS compliance easier for the benefit of our customers and the industry as a whole."
Chris K. Davies, chief operating officer at HSBC Merchant Services added: “We fully endorse these guidelines from Visa Europe and feel that they will make a significant contribution to simplifying the challenges faced by our merchants whilst they develop their systems to become PCI DSS compliant. Any guidelines that will further reduce the appeal for fraudsters to target cardholder information can only be a positive step forward”.
A copy of Visa’s guidelines on data field encryption is available to download here.
