Friday, October 23, 2009

Best Practices Document for End to End Encryption by VISA

Visa has announced new global best practices for data field encryption, also known as end-to-end encryption - a much-discussed solution in the wake of the Heartland Payment Systems breach.
These best practices are designed to further the payment industry's efforts to develop a common, open standard while providing guidance to encryption vendors and early adopters. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the "clear."

Visa's best practices are designed to help organizations:

* Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption;
* Use robust key management solutions consistent with international and/or regional standards;
* Use key-lengths and cryptographic algorithms consistent with international and/or regional standards;
* Protect devices used to perform cryptographic operations against physical/logical compromises;
* Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.


It's important to note, that sensitive authentication data such as full contents of the magnetic strip, CVV2, PIN/PIN block should not be used for any purpose other than payment authorization and may not be stored after authorization, even if encrypted.

While data field encryption applies after the card is swiped and throughout the merchant's environment, encryption solutions between acquirer processors and Visa would further reduce the value of card data to criminals. You can read this Best Practices document from VISA

No comments: