VISA’s new encryption service to aid protection of sensitive data, merchant security
23 August, 2012
category: Financial
Visa announced a new service – entitled Visa Merchant Data Secure with Point-to-Point Encryption – to increase security of sensitive personal data as well as merchant security.
The new program incorporated point-to-point encryption (P2PE) which will enable merchants to protect card payment data within their systems by encrypting personal cardholder information. Accessible only with decryption keys held by the merchant or Visa, the new system ensures that cardholders’ delicate information is constantly protected throughout the payment process.
The bigger picture for Visa is a payment landscape that eliminates account data from the payment environment whenever possible, protecting cardholder information wherever it is stored, processed or transmitted. Visa also hopes to diminish stolen account information by employing authentication solutions like EMV chip technology.
For now, Visa’s new Merchant Data Secure program will account for a number of encryption concerns on both the merchant and customer sides of transactions.
-
Minimal impact to payment processing systems. Point-to-point adoption will be simple as there is little impact on the current payment system. Visa will also offer a “format preserving” option, allowing merchants to integrate point-to-point encryption using a 16-digit encrypted value with their current systems.
-
Consistent, open encryption standard. Visa’s will continue to use the Triple Data Encryption Standard (TDES) and Derived Unique Key per Transaction (DUKPT) key management that are currently used to encrypt PINs, providing a consistent framework for managing keys and minimizing the impact of system updates.
-
Multi-zone encryption. By allowing for encryption/decryption in multiple zones, Visa provides merchants and acquirers flexibility in deployment strategies within each unique environment. Multi-zone encryption supports routing to multiple endpoints or processors, consistent with how PIN encryption is managed today.
The new program is planned for 2013 with technical specification and implementation guides to be rolled out in the coming months.