Visa Inc. is weighing in on the process of protecting credit card data with end-to-end encryption and the use of tokens. The card brand issued a document this week outlining best practices for encryption that includes the use of tokens.
Visa said the document aims to help encryption vendors develop a common standard and help early adopters choose the right approach to deploy data protection.
"While no single technology will completely solve fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach," Eduardo Perez, global head of data security at Visa Inc. said in a statement.
The PCI Security Standards Council completed its review of emerging technologies and announced the results at its recent community meeting in Las Vegas. The independent survey of 125 companies was conducted by PricewaterhouseCoopers and determined that encryption and tokenization were the top two emerging technologies that deserve the most attention.
Analysts and experts said the use of tokens in addition to end-to-end encryption beginning at point-of-sale (POS) systems would help boost security from the time a credit card is swiped to a payment terminal to the point a token is assigned by a payment processor. The goal is to eliminate primary account number (PAN) data from merchant systems altogether, said Diana Kelley, founder and partner at Security Curve.
"It's a great technology overall, but merchants have to make sure there's no other instances of PAN data around to really get the full benefit," Kelley said, adding that PAN data can slip into log files and volatile memory.
Visa's document addresses encryption and key management, but also outlines the use of an alternate account or transaction identifier for merchant business processes, such as customer loyalty programs, fraud management and returns.
Kelley said the industry still has a lot of work to do before an industry-wide standard is developed. Many merchants could face costly upgrades to support the technology. Some legacy POS terminals don't support encryption and would have to be replaced in order to make end-to-end encryption a reality, she said.
Eliminating all credit card data from merchant systems also may not be realistic, at least in the near term. Dave Hogan, senior vice president and chief information officer for the National Retail Federation has warned that some merchants are required by credit card issuing banks to retain credit card data for up to 18 months.
"Retailers have been required to take extraordinary steps to ensure that somewhere, somehow, data is not inadvertently being retained by software," Hogan said in March in his testimony before the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. "What is ironic in this scenario is that the credit card companies' rules require merchants to store, for extended periods, credit card data that many retailers do not want to keep."
Payment processors are offering different solutions to address POS encryption. Heartland Payment Systems Inc. is partnering with Voltage Security to produce E3, a system that includes new credit card terminals and format-preserving encryption software. Meanwhile, First Data Corp. is working with RSA, the security division of EMC Corp., to produce a data protection process that includes bothencryption of data in motion and token technology. The tokenization would be handled by the processor and be returned to merchants, while the actual credit card numbers would be stored in a secure repository maintained by First Data. In August, RBS WorldPay announced that was partnering with VeriFone Inc. to sell VeriShield Protect, a format preserving encryption technology.
Still, experts agree tokenization coupled with end-to-end encryption hold promise. It adds defense-in-depth security for the payment industry, said Ramon Krikken, an analyst at the Burton Group. Some larger retailers already use tokenization technology, making it a proven technology, Krikken said.
"In the eyes of PCI and the assessor, a token isn't necessarily considered an encrypted data item, which may make it a little easier to pass an audit that way," Krikken said. "When you are just the average merchant trying to comply with PCI and you don't really care about the card numbers anyway, there shouldn't be a really good argument against not using [tokens] if you don't have to go out and buy new terminals."