Visa probes tokens, encryption for PCI card data protection

By Robert Westervelt, News Editor 07 Oct 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Visa Inc. is weighing in on the process of protecting credit card data with end-to-end encryption and the use of tokens. The card brand issued a document this week outlining best practices for encryption that includes the use of tokens.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Visa said the document aims to help encryption vendors develop a common standard and help early adopters choose the right approach to deploy data protection.

"While no single technology will completely solve fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach," Eduardo Perez, global head of data security at Visa Inc. said in a statement.

The PCI Security Standards Council completed its review of emerging technologies and announced the results at its recent community meeting in Las Vegas. The independent survey of 125 companies was conducted by PricewaterhouseCoopers and determined that encryption and tokenization were the top two emerging technologies that deserve the most attention.

Tokens, POS encryption: Compliance benefits of tokenization:  Tokenization not only keeps confidential data out of the hands of malicious hackers, but also offers a less expensive strategy for achieving PCI compliance. Identity management and access control expert Joel Dubin defines tokenization, examines whether or not it's effective and unveils how the technology can be used as a tool for PCI compliance. First Data, RSA push tokenization for payment processing: The encryption-token service could compete against vendors offering format preserving encryption to secure payment transactions. Voltage, RSA spar over tokenization, data protection: Voltage cites performance issues and the creation of a repository of cardholder data an attractive target for attackers. RSA calls Voltage's claims unfounded.

Analysts and experts said the use of tokens in addition to end-to-end encryption beginning at point-of-sale (POS) systems would help boost security from the time a credit card is swiped to a payment terminal to the point a token is assigned by a payment processor. The goal is to eliminate primary account number (PAN) data from merchant systems altogether, said Diana Kelley, founder and partner at Security Curve.

"It's a great technology overall, but merchants have to make sure there's no other instances of PAN data around to really get the full benefit," Kelley said, adding that PAN data can slip into log files and volatile memory.

Visa's document addresses encryption and key management, but also outlines the use of an alternate account or transaction identifier for merchant business processes, such as customer loyalty programs, fraud management and returns.

Kelley said the industry still has a lot of work to do before an industry-wide standard is developed. Many merchants could face costly upgrades to support the technology. Some legacy POS terminals don't support encryption and would have to be replaced in order to make end-to-end encryption a reality, she said.

Eliminating all credit card data from merchant systems also may not be realistic, at least in the near term. Dave Hogan, senior vice president and chief information officer for the National Retail Federation has warned that some merchants are required by credit card issuing banks to retain credit card data for up to 18 months.

SearchSecurity radio:

"Retailers have been required to take extraordinary steps to ensure that somewhere, somehow, data is not inadvertently being retained by software," Hogan said in March in his testimony before the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. "What is ironic in this scenario is that the credit card companies' rules require merchants to store, for extended periods, credit card data that many retailers do not want to keep."

Payment processors are offering different solutions to address POS encryption. Heartland Payment Systems Inc. is partnering with Voltage Security to produce E3, a system that includes new credit card terminals and format-preserving encryption software. Meanwhile, First Data Corp. is working with RSA, the security division of EMC Corp., to produce a data protection process that includes bothencryption of data in motion and token technology. The tokenization would be handled by the processor and be returned to merchants, while the actual credit card numbers would be stored in a secure repository maintained by First Data. In August, RBS WorldPay announced that was partnering with VeriFone Inc. to sell VeriShield Protect, a format preserving encryption technology.

Still, experts agree tokenization coupled with end-to-end encryption hold promise. It adds defense-in-depth security for the payment industry, said Ramon Krikken, an analyst at the Burton Group. Some larger retailers already use tokenization technology, making it a proven technology, Krikken said.

"In the eyes of PCI and the assessor, a token isn't necessarily considered an encrypted data item, which may make it a little easier to pass an audit that way," Krikken said. "When you are just the average merchant trying to comply with PCI and you don't really care about the card numbers anyway, there shouldn't be a really good argument against not using [tokens] if you don't have to go out and buy new terminals."

Tags: PCI Data Security Standard,  Disk Encryption and File Encryption,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail The search for PCI's holy grail Disk Encryption and File Encryption Health Net healthcare data breach affects1.5 million Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? What are the export limitations for AES data encryption? Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary