Visa probes tokens, encryption for PCI card data protection

By Robert Westervelt, News Editor 07 Oct 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Visa Inc. is weighing in on the process of protecting credit card data with end-to-end encryption and the use of tokens. The card brand issued a document this week outlining best practices for encryption that includes the use of tokens.

Visa said the document aims to help encryption vendors develop a common standard and help early adopters choose the right approach to deploy data protection.

"While no single technology will completely solve fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach," Eduardo Perez, global head of data security at Visa Inc. said in a statement.

The PCI Security Standards Council completed its review of emerging technologies and announced the results at its recent community meeting in Las Vegas. The independent survey of 125 companies was conducted by PricewaterhouseCoopers and determined that encryption and tokenization were the top two emerging technologies that deserve the most attention.

Analysts and experts said the use of tokens in addition to end-to-end encryption beginning at point-of-sale (POS) systems would help boost security from the time a credit card is swiped to a payment terminal to the point a token is assigned by a payment processor. The goal is to eliminate primary account number (PAN) data from merchant systems altogether, said Diana Kelley, founder and partner at Security Curve.

"It's a great technology overall, but merchants have to make sure there's no other instances of PAN data around to really get the full benefit," Kelley said, adding that PAN data can slip into log files and volatile memory.

Visa's document addresses encryption and key management, but also outlines the use of an alternate account or transaction identifier for merchant business processes, such as customer loyalty programs, fraud management and returns.

Kelley said the industry still has a lot of work to do before an industry-wide standard is developed. Many merchants could face costly upgrades to support the technology. Some legacy POS terminals don't support encryption and would have to be replaced in order to make end-to-end encryption a reality, she said.

Eliminating all credit card data from merchant systems also may not be realistic, at least in the near term. Dave Hogan, senior vice president and chief information officer for the National Retail Federation has warned that some merchants are required by credit card issuing banks to retain credit card data for up to 18 months.

"Retailers have been required to take extraordinary steps to ensure that somewhere, somehow, data is not inadvertently being retained by software," Hogan said in March in his testimony before the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. "What is ironic in this scenario is that the credit card companies' rules require merchants to store, for extended periods, credit card data that many retailers do not want to keep."

Payment processors are offering different solutions to address POS encryption. Heartland Payment Systems Inc. is partnering with Voltage Security to produce E3, a system that includes new credit card terminals and format-preserving encryption software. Meanwhile, First Data Corp. is working with RSA, the security division of EMC Corp., to produce a data protection process that includes bothencryption of data in motion and token technology. The tokenization would be handled by the processor and be returned to merchants, while the actual credit card numbers would be stored in a secure repository maintained by First Data. In August, RBS WorldPay announced that was partnering with VeriFone Inc. to sell VeriShield Protect, a format preserving encryption technology.

Still, experts agree tokenization coupled with end-to-end encryption hold promise. It adds defense-in-depth security for the payment industry, said Ramon Krikken, an analyst at the Burton Group. Some larger retailers already use tokenization technology, making it a proven technology, Krikken said.

"In the eyes of PCI and the assessor, a token isn't necessarily considered an encrypted data item, which may make it a little easier to pass an audit that way," Krikken said. "When you are just the average merchant trying to comply with PCI and you don't really care about the card numbers anyway, there shouldn't be a really good argument against not using [tokens] if you don't have to go out and buy new terminals."

Tags: Compliance Regulation and Standard Requirements,  Biometrics, Smart Cards, Tokens,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Biometrics, Smart Cards, Tokens Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Single sign-on system removes password chaos at East Kent NHS Trust Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Chip and PIN adoption serves lesson for U.S. payment industry Strong authentication methods, voice recognition systems make comeback Security on a budget: How to make the most of authentication tools Creating a secure platform for smart card programmers Portable security storage device could replace OTP devices

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary