IMGCAP(1)]
This article appears in the Oct. 15, 2009, edition of ISO&Agent Weekly.
Visa Inc. finally has weighed in on the encryption debate, providing guidelines to merchants that choose to use data-security measures beyond industry requirements. Visa said earlier this year it was exploring encryption technology, which some processors and terminal makers already are offering to merchants.
Encryption is not required under the Payment Card Industry Data Security Standard, which describes how merchants must handle and protect card data.
But the concept is getting more attention as companies realize that passing a PCI assessment may not be enough to prevent a data breach.
The encryption guidelines Visa announced last week are designed to impress upon merchants that there is more to using encryption than buying any particular product, says Eduardo Perez, Visa global head of data security.
"Encryption could be used to meet some of the requirements" under PCI, but "encryption in and of itself is not a silver bullet," Perez says. "It should be taken seriously," so the encryption keys, which can be used to decode scrambled files, are kept inaccessible, he says.
Visa's new guidelines are broad enough to work with any existing encryption initiatives, says Avivah Litan, vice president and analyst at Gartner Inc. "It's not disruptive; it's complementary," Litan says. However, offering broad guidelines rather than specific requirements "basically tells merchants there is ... not going to be an industrywide end-to-end solution anytime soon," she says.
Still, Visa's decision to issue a public statement may move some encryption efforts forward, Litan says. "This is a really useful announcement because merchants may be sitting on the fence thinking, 'What's the card-brand position on this?'"
Instead of dictating specific technology, Visa is "basically separating" itself from the process while still providing some information for merchants that wish to seek its guidance, Litan says.
Encryption Options
More companies have begun to offer encryption options, or have announced plans to do so, with a focus on so-called "end-to-end" encryption. Typically, this means payment card data are encrypted when the information is read by a merchant's terminal and remains encrypted until it has been handed off to the processor.
Encryption's most-outspoken champion has been Heartland Payment Systems Inc., which began to advocate the fraud-prevention option after it disclosed a breach in January. Though it was later determined that Heartland had been out of compliance with the PCI standard, its security flaws were not revealed during numerous PCI assessments.
The Princeton, N.J.-based processor in July completed the first test of a complete encryption system designed to protect the cardholder data it handles from hackers.
Atlanta-based First Data Corp. announced in late September it is developing a system that uses tokenization, a technique that would make encrypted data more secure.
Additionally, payment-terminal maker VeriFone Holdings Inc. announced in April it is providing encryption capabilities with its VeriShield Protect product across its point-of-sale terminal lines. VeriShield Protect meets Visa's best practices for data-field encryption, according to San Jose, Calif.-based VeriFone.
