Last week, Visa issued its global industry best practices for data field encryption, also known as end-to-end encryption. There has been lots of talk of end-to-end encryption recently as the payment industry looks to protect card-holder data from fraudulent use resulting from data breaches. The debate includes the Smart Card Alliance’s publication in September of a paper suggesting the use of contactless chip cards as part of the approach to protect against fraud.
Visa’s best practice guide very correctly identifies that no single technology can completely solve card fraud, and states that field encryption is a complement to, rather than a substitute for, PCI-DSS compliance requirements.
Included in the best practices is guidance to use robust key management solutions and encryption consistent with international and/or regional standards. This includes the management of encryption/decryption keys within Secure Cryptographic Devices such as PIN Entry Devices (PEDs) or Hardware Security Modules (HSMs).
The guidelines therefore effectively extend the approaches already in place to protect PINs to also protect cardholder and sensitive authentication data throughout the payment acquiring network. However it’s not all plain sailing. The ASC X9F6 working group is working on defining a standard methodology for end-to-end encryption but it may take some time before an agreed approach is available. Even then, it will require vendors of the various devices and applications used in the payment ecosystem to have compatible products available. For example, while some PEDs are capable of encrypting cardholder data, many are not, and it will take some time before they are upgraded to do so as part of their natural working life. In addition, as Visa says, with no standards as yet in place, there are currently many technologies and methods being used, which is why best practices are needed for now.
Separating cleartext cardholder data and sensitive authentication data along with the use of tokenization is certain to reduce fraud risks. However it also requires significant changes in applications, particularly since account numbers are the index for many of the functions provided by these applications.
Nevertheless, for acquirers, payment gateways and others involved in accepting or processing transactions, Visa’s best practice guidelines must be a welcome and practical approach, as they can potentially update existing equipment to implement it and use tried and trusted techniques with which they are already familiar.