There has been a lot of interest in this technology which was featured as a potentially game-changing technology at the recent PCI Community Meeting (see here). As the document points out: "Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the 'clear.' Importantly, data field encryption renders cardholder data useless to criminals in the event of a merchant data breach."
Visa's best practices are designed to achieve the following security objectives:
- Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption.
- Use robust key management solutions consistent with international and/or regional standards.
- Use key-lengths and cryptographic algorithms consistent with international and/or regional standards.
- Protect devices used to perform cryptographic operations against physical/logical compromises.
- Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.
And for you end-to-end encryption fans, note the title is labeled "Version 1.0"... more to follow? Encryption and conspiracy fans unite!
I was very pleased to find this site and wanted to thank you for this great read!!
ReplyDelete