Despite the media attention to viruses and other malicious software, a major source of vulnerability in the payment industry remains lack of cardholder data protection stored by merchants, acquirers, services providers and third parties suppliers.
Small businesses are often the focus of criminals to gather this valuable information because of their lack of technical security expertise and unawareness their suppliers and service providers manage the security of their payment systems. However, leading services providers are not excluded, with important consequences (e.g.: earlier this year Global Payments 1.5 million card numbers breach).
The root cause of these incidents is always the same two weaknesses: an open (publicly) information system with security flaws providing logical doors to criminals and lack of protection of stored cardholder data. While the PCI DSS (Payment Card Industry Data Security) requires encryption of stored cardholder data, the application of cryptographic techniques requires a strong expertise to be effective and one failure in the implementation could have a strong impact on the overall cardholder data security.
This situation led Visa to announce the launch in early 2013 of "Visa Merchant Data Secure with Point-to-Point Encryption" its own data encryption point-to-point service. The objective is to provide merchants and acquirers a Point-to-Point Encryption (P2PE) service that works with existing payment systems (e.g.: point-of-sale) and meets the PCI DSS requirements.
P2PE technology helps merchants and acquirers protect payment card data within their systems by encrypting sensitive cardholder information. Because the card data can only be accessed, or unscrambled, with decryption keys held securely by the acquirer, gateway or Visa, cardholder information is protected within the payment processing environment.
Ellen Richey, Chief Enterprise Risk Officer, Visa Inc said “that small and large merchants have expressed an interest in encryption as a way to protect cardholder data in their payment systems and simplify their security protocols”.
Visa Merchant Data Secure with Point-to-Point Encryption addresses several key merchant and acquirer concerns about encryption:
- Minimal impact to merchants and acquirers payment processing systems. Visa will offer a "format preserving" option, enabling merchants to integrate point-to-point encryption using a 16-digit encrypted value with their current systems.
- Consistent, open encryption standard relying on the same Triple Data Encryption Standard (TDES) and Derived Unique Key per Transaction (DUKPT) key management that are used to encrypt PINs today. This provides a consistent framework for managing keys and minimizes the impact of merchant system updates.
- Multi-zone encryption providing merchants and acquirers flexibility in how to deploy encryption within their unique environments. Multi-zone encryption can facilitate routing to multiple endpoints, if the merchant is using multiple processors, consistent with how PIN encryption is managed today.
The solution is expect to be operational in 2013, as it must also be integrated throughout the all payment chain, from suppliers of technical solutions (terminals), processors ... While Visa ensures compatibility format facilitating adaptations (e.g.: 16 digits value encryption), the effort to achieve remains important. Additionally this is a VISA initiative only not initiated by all the networks, same as EMV chip authentication that had an impact on the overall adoption by the payment ecosystem.