Earlier this week Visa, Inc. released a best practice bulletin on data encryption that details five security goals1, and thirteen best practices that companies can implement to meet them.

The five goals as listed in the bulletin are:

  1. Limit cleartext availability of cardholder data and sensitive authentication data to the point
    of encryption and the point of decryption.
  2. Use robust key management solutions consistent with international and/or regional
    standards.
  3. Use key-lengths and cryptographic algorithms consistent with international and/or regional
    standards.
  4. Protect devices used to perform cryptographic operations against physical/logical
    compromises.
  5. Use an alternate account or transaction identifier for business processes that requires the
    primary account number to be utilized after authorization, such as processing of recurring
    payments, customer loyalty programs or fraud management.
Lock, by AMagill

Lock, by AMagill

For each goal, they include two to five detailed practices to assist meeting the stated goal.  Download the bulletin to see all of the best practices.  This document is a good example of various practices and requirements consolidated into a single guide, and quite frankly, is an excellent reference piece for practitioners and assessors alike.

The challenge with documentation like this is it only represents the opinions of Visa, Inc. (which does not include Visa Europe, and sometimes Visa Canada) and it is not part of PCI DSS.  While all of the payment brands are fierce competitors, and it’s really a miracle that the PCI Security Standards Council functions at all, documentation like this should really come from the Council to be the most effective.

There are some fantastic clarifications here, such as specific information on what kinds of encryption algorithms should be used (ISO or ANSI X9 approved) instead of the current definition which leaves lots of room for interpretation.  Hopefully we’ll see more of this type of documentation from the Council where we can apply it uniformly across all PCI DSS work.

This post originally appeared on BrandenWilliams.com.

  1. paying homage to The Security Catalyst’s “3s and 5s” rule []