Visa Best Practices on End-to-End Encryption

Visa has just released a pdf on data field encryption, aka end-to-end encryption. You can download it here.

There has been a lot of interest in this technology which was featured as a potentially game-changing technology at the recent PCI Community Meeting (see here). As the document points out: "Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the 'clear.' Importantly, data field encryption renders cardholder data useless to criminals in the event of a merchant data breach."

Visa's best practices are designed to achieve the following security objectives:

• Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption.
• Use robust key management solutions consistent with international and/or regional standards.
• Use key-lengths and cryptographic algorithms consistent with international and/or regional standards.
• Protect devices used to perform cryptographic operations against physical/logical compromises.
• Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.

Visa notes that there are no industry standards yet, and that there is no single technology that can completely solve the fraud problem. They importantly make the point that end-to-end encryption is intended to supplement PCI DSS. Therefore, those of you looking for that single solution - aka silver bullet - solution, I guess you just have to keep on looking.

And for you end-to-end encryption fans, note the title is labeled "Version 1.0"... more to follow? Encryption and conspiracy fans unite!