Visa Releases Data Field Encryption Guidance

Earlier this week Visa, Inc. released a best practice bulletin on data encryption that details five security goals ((paying homage to The Security Catalyst’s “3s and 5s” rule)), and thirteen best practices that companies can implement to meet them.

The five goals as listed in the bulletin are:

1. Limit cleartext availability of cardholder data and sensitive authentication data to the point
   of encryption and the point of decryption.
2. Use robust key management solutions consistent with international and/or regional
   standards.
3. Use key-lengths and cryptographic algorithms consistent with international and/or regional
   standards.
4. Protect devices used to perform cryptographic operations against physical/logical
   compromises.
5. Use an alternate account or transaction identifier for business processes that requires the
   primary account number to be utilized after authorization, such as processing of recurring
   payments, customer loyalty programs or fraud management.

Lock, by AMagill

For each goal, they include two to five detailed practices to assist meeting the stated goal.  Download the bulletin to see all of the best practices.  This document is a good example of various practices and requirements consolidated into a single guide, and quite frankly, is an excellent reference piece for practitioners and assessors alike.

The challenge with documentation like this is it only represents the opinions of Visa, Inc. (which does not include Visa Europe, and sometimes Visa Canada) and it is not part of PCI DSS.  While all of the payment brands are fierce competitors, and it’s really a miracle that the PCI Security Standards Council functions at all, documentation like this should really come from the Council to be the most effective.

There are some fantastic clarifications here, such as specific information on what kinds of encryption algorithms should be used (ISO or ANSI X9 approved) instead of the current definition which leaves lots of room for interpretation.  Hopefully we’ll see more of this type of documentation from the Council where we can apply it uniformly across all PCI DSS work.

Possibly Related Posts:

• PCI DSS 4.0 Released plus BOOK DETAILS!
• PCI Council Loses $600K in Revenue, PO Population on the Decline
• Why PCI DSS 4.0 Needs to be a Complete Rewrite
• Equifax is only half the problem, your SSN needs a redesign!
• Orfei Steps Down

Tagged with: encryption, payment processing, Visa