Visa, always leading the charge for the card brands, has just released a new document on Data Field Encryption. Visa’s Best Practices document, known as Data Field Encryption Version 1.0 is intended to provide guidance for companies building end to end (or point to point) encryption solutions. This marks a watershed moment in our industry. Finally a major card brand is acknowledging the value of encryption. Here is a summary…
1) Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption.
2) Use robust key management solutions consistent with international and/or regional standards
3) Use key-lengths and cryptographic algorithms consistent with international and/or regional standards.
4) Protect devices used to perform cryptographic operations against physical/logical compromises.
5) Use an alternative account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.
Based upon what I read, it looks like the major players in the market all support Visa’ best practices.
BIG KUDOS to VISA for taking a big leap!!!
