Secure Payments, PCI DSS, Regulatory Compliance Blog

Visa releases End to End Best Practices! Big Kudos!!

October 6th, 2009 by cmark Posted in PCI DSS

Visa, always leading the charge for the card brands, has just released a new document on Data Field Encryption.  Visa’s Best Practices document, known as Data Field Encryption Version 1.0 is intended to provide guidance for companies building end to end (or point to point) encryption solutions.  This marks a watershed moment in our industry. Finally a major card brand is acknowledging the value of encryption.  Here is a summary…

1) Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption.

2) Use robust key management solutions consistent with international and/or regional standards

3) Use key-lengths and cryptographic algorithms consistent with international and/or regional standards.

4) Protect devices used to perform cryptographic operations against physical/logical compromises.

5) Use an alternative account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.

Based upon what I read, it looks like the  major players in the market all support Visa’ best practices.

BIG KUDOS to VISA for taking a big leap!!!

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 4 Responses to “Visa releases End to End Best Practices! Big Kudos!!”

  2. By Dominic White on Oct 6, 2009

    Does it support descoping or reduced scope of the environment where it is provably encrypted? If not, what do you think the timelines are?

  3. By Josh on Oct 6, 2009

    I’m echoing Dominic’s question…if the keys do not exist within the environment, can we reduce scope??

  4. By cmark on Oct 6, 2009

    Great questions. My position has always been “yes” you can reduce scope. Unfortunately, I am no longer with the counsel or the card brands so it is simply ‘my opinion’ at this point. Many of the acquirers are taking the position that it reduces scope. If the keys are irrelevant, then why would SSL not bring all of the systems through which the encrypted data passes into scope? Clearly the keys are the ‘key’ to the solution (along with the algorithm, of course)

    Ashok Misra wrote a great article I will post on this blog tonight that you should read….

    I think ultimately that should be the position of the council and card brands.

  5. By trek on Oct 16, 2009

    To add a scenario…in the UK, today…
    Encryption takes place on PCI-PTS certified PED. Encryption is dual layer. Layer 1, 3-key 168bit 3DES, unique for each txn, then Layer 2 , 2048bit RSA key. No decryption keys exist on PED or merchants LAN, neither can the software on PED be set to turn encryption off. Dual layered encrypted data is then transferred across merchants LAN to processor and even onto Acquirer for decryption prior to authorisation. True end to end encryption. If this was the only method of payment used by a merchant then everything over than the PED would be out of scope for PCI DSS….

Sorry, comments for this entry are closed at this time.