When Visa speaks, the industry listens. As a necessary add on to PCI DSS, Visa says that all merchants who accept cards electronically consider upgrading their networks to have data-field technology installed.
Visa has written a paper that makes five important recommendations to merchants.
1. Protect devices that are cryptographic against software and firmware compromises.
2. Given a merchants geographical location, use key management that is consistent with security standards.
3. Use cryptographic algorithms that are consistent with security standards based on geographical locations.
4. Limit clear text (unencrypted) to “point of encryption and point of decryption.”
5. In lieu of the complete card number, use an alternate transaction identifier for business practices.
The Senior Business Leader of Visa’s Risk Department, Eduardo Perez, believes merchants are currently looking for guidance in what should be done to protect card data.
He says, “…the intent of these best practices is to provide a foundation, or a primer, for merchants considering these solutions on how to implement them and then how to evaluate them… So the goal here is to support merchants and ultimately to effectively deploy the use of encryption solutions within their payment card environment.”
Data Field Encryption
End-to-end encryption is another name for data-field encryption. Many in the industry feel that it is necessary in order to safeguard data. Data that is encrypted cannot be decryption without the correct key.
When the card is swiped, end-to-end encryption begins. The encrypted data is taken from the merchants’ private network, and then goes through the public network to the acquirers system. That is where the information is decrypted in order to process.
The guidelines of Visa do not mandate merchants to have end-to-end technology, or to have providers that use end-to-end technology. But it is an important way to protect cardholder data.
PCI DSS strives to have complete data security, which includes data at rest (stored) and data in motion (transmitted). End-to-end encryption focuses mainly on data as it is transmitted, or is in motion.
Data that is in motion is attacked by malware, which is malicious software that finds cardholder data and transmits if back to people committing fraud.
Along with PCI DSS, Data-field encryption can help keep the data of your cardholders safe.
Public Vs. Private
Tim Cranny, the Chief Executive Officer of Panoptic Security Incorporated, says that the most current version of PCI DSS is mainly focused on the security of stored data and data transmitted publicly, not the security of private networks.
The best approach to security is a layered one, according to Bob Russo, the GM of the PCI Security Standards Council, also known as PCI SSC. He says, “Which specific technologies an organization chooses to implement to meet the requirements of DSS is discretionary. Organizations seeking to deploy security technologies must recognize that secure implementation is as important as the decision to implement itself.”
He goes on to say that PCI SSC is in the feedback process. They want opinions on how the PCI DSS will evolve.