Feeds

Visa gives merchants crypto card security guidelines

Retailers scramble for safety

High performance access to file storage

Visa has published best practices for data field encryption (AKA end-to-end encryption) that call on merchants to always encrypt cardholder data.

Data field encryption covers techniques for ensuring swiped credit data is always stored and transmitted in an encrypted format right from the point where a customer plastic is swiped or an online order is taken. The approach is designed to supplement existing PCI DSS security standards for merchants in helping to protect cardholder data from hacking attacks, particularly those targeted at retailers or online merchants.

PCI DSS covers the need to run up to date anti-virus and to use encryption for wireless networks without making specific recommendations. The data encryption best practice offers advice on encryption from a comparable standpoint, such as using robust key lengths for encryption and protecting terminal devices against tampering.

Sensitive authentication data such as CVV2 numbers or PINs should only be used for authorisation and never held on merchant's systems.

The publication of data field encryption standards follows in the wake of recent high-profile security breaches at firms such as TJX.

Standards in the area are in an early sage of development, but we might expect Visa to adopt a carrot and stick approach towards merchants in encouraging their adoption. Reduced processing fees for early adopters will be put together with big fines for merchants who do experience a breach and aren't following the guidelines.

In addition to publishing encryption best practices, Visa also announced that it will chair the ANSI X9F6 standards working group helping to guide the development of a data field encryption standard.

Data field encryption applies after the card is swiped and dealt with within a merchant's environment until it reaches a payment processing firm. What happens within the payment processor until it goes to Visa is covered by separate guidelines.

Visa accepts encrypted transaction data from acquirers, third-party processors and merchants directly connected to VisaNet.

"While no single technology will completely solve for fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach," said Eduardo Perez, global head of data security at Visa. "Using encryption as one component of a comprehensive data security program can enhance a merchant's security by eliminating any clear text data either in storage or in flight." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.