Visa's New Data Protection SolutionCard Brand Tackles Fraud at the Merchant Level
An end-to-end encryption service coming out from Visa in early 2013 aims to improve payment card and data security at the merchant level.
Eduardo Perez, who works in Visa's Risk Group, says Visa's Merchant Data Secure with Point-to-Point Encryption is part of the card brand's broader authentication strategy and includes three key improvements:
- Eliminating account data at the merchant level;
- Protecting sensitive information that must be stored, processed or transmitted;
- Devaluing account information through dynamic authentication.
"[Merchant Data Secure] can help merchants protect [data] in a manner that's going to be consistent with the PCI-DSS security requirements," Perez says in an interview with Information Security Media Group's Tracy Kitten [transcript below].
The solution also is expected to reduce the merchants' scope of Payment Card Industry Data Security Standard compliance, and significantly reduce the footprint of card data that merchants may have in their systems, Perez says. Ultimately, that will reduce merchants' risk of potential compromise.
During this interview, Perez discusses:
- Visa's focus on devaluing stolen account information;
- Why point-to-point encryption and the Europay, MasterCard, Visa standard go hand-in-hand; and
- Why Visa's solution goes beyond mere PIN encryption to secure card data once deemed non-sensitive.
Perez joined Visa in 2002 and today has direct-line responsibility for key areas including global authentication, payment system security policy and procedures, third-party agent risk, cybersecurity investigations and breach response and incident analysis. Perez and his team have developed and executed strategies to eliminate, protect and devalue payment card data throughout the payment system. Before Visa, he worked with the Federal Reserve Bank of San Francisco's Division of Banking Supervision and Regulation, where he held various positions.
TRACY KITTEN: The end-to-end encryption announcement made by Visa at the end of August is just one in the line of card security initiatives the card network has announced in recent years, dynamic authentication and a shift to EMV chip payments or other movements Visa has announced to card security. How does this new end-to-end encryption service compliment what Visa is currently offering or what Visa expects to offer in the near future?
EDUARDO PEREZ: This is our point-to-point encryption service, or as we're calling it Visa Merchant Data Secure. It's really part of Visa's broader authentication strategy, which is aimed at improving payment industry security by focusing on three key areas. The first one is to eliminate account data whenever possible. The second area is to protect sensitive information wherever it may be stored, processed or transmitted. And the third is to focus on devaluing stolen account information by deploying dynamic authentication solutions such as EMV chip technology.
We view this offering of point-to-point encryption, our Visa Merchant Data Secure product service, to help merchants to further eliminate the data, to more strongly protect that data that they may store, process or transmit, and ultimately to devalue the data because it's going to be dynamic and even if the hacker obtains the information they're not going to be able to use that data to commit fraud. We really view that this new offering is going to help merchants and acquirers really promote each of those three key pillars of authentication strategy.
KITTEN: Is this service recommended for all merchants, acquirers and processors, and is Visa mandating its use or adoption?
PEREZ: This service is something that we're recommending generally. We've recommended the adoption of encryption and tokenization across the merchant, acquirer and processors environment throughout the payments industry. However, we do not mandate it or require it at this point. Obviously, one of the tenets of the PCI Data Security Standard is to obscure, eliminate or encrypt data if an entity is storing that data, so we believe that ultimately this service can help either merchants eliminate data or protect it in a manner that's going to be consistent with the PCI-DSS security requirements and help them to reduce their scope of compliance and significantly reduce the footprint of card data that they may have in their systems, and ultimately reduce the risk of a potential compromise.
KITTEN: How exactly does this service work and will the specifications provided by Visa vary from merchant to merchant and acquirer to acquirer?
PEREZ: The service that we announced works very similarly to how the industry encrypts and decrypts PINs today that are used in the marketplace already by merchants, acquirers and processors. At the end of the day, you could think about it in its most simplest form that there will be a unique key that's loaded onto the terminal that encrypts the data when the data's read through the mag-stripe or through a chip transaction as well. The data elements that would be encrypted in our service would include not only the PIN, as it would always be encrypted, but it would also include the primary account number, the expiration date and the cardholder verification value on a mag-stripe transaction, and what we call the cardholder verification value on a chip transaction.
All of those data elements would be actually encrypted similarly to how the PIN is encrypted today. For those merchants that accept PIN transactions today, there would be very little changes to their environment to adopt this service. It would be essentially a software upgrade that would instruct the terminal to essentially encrypt those other data elements the same way that the PIN is encrypted. Then the entity that would maintain the other key to decrypt the data - either the processor of Visa in this case - exactly how we process and encrypt PINs today would be the entity that could decrypt them and then send them on to Visa and us onto the issuer so they could validate that the data actually matched and wasn't an unauthenticated transaction that they should then consider to authorize.
KITTEN: Visa claims this service enhances the protection of payment card data because the data, as you brightly pointed out, is protected even if the network or the system is hacked or penetrated. But there are a number of other end-to-end or point-to-point encryption solutions and services that are already on the market. What makes what Visa is offering different?
PEREZ: Our service is going to be similar to other services out there that are taking similar data elements and encrypting them and decrypting them from the terminal back to a host, somebody at the processor, within the merchant or at Visa ultimately. What makes our solution different is that we have really focused on ensuring that our solution is both flexible and efficient for merchants and processors to adopt. Since it's a consistent open encryption standard that we're following, our solution relies on the same triple-dozen encryption standards and DUKPT [derived unique key per transaction] key management standards that are used for PIN today - as I mentioned earlier - and this provides a consistent framework for managing keys and minimizing the impact of merchant system updates. Again, our solution can be implemented in a point-to-point matter and in a multi-zone encryption environment where the decryption point may be within the merchant's environment or at their processor.
We expect that our solution is going to be compelling to a number of merchants and processors that want a consistent solution across their merchant environment or across the processors that the merchant may be using. It's going to be a consistent, flexible and efficient way for them to encrypt other data elements.
KITTEN: Visa says it created this new service based on industry demand. What types of concerns, vulnerabilities or worries have merchants and acquirers expressed to Visa?
PEREZ: We've had a tremendous amount of increased adoption with the PCI Data Security Standard as we've discussed in the past. And while merchants have certainly embraced the PCI Data Security Standard as an effective way to ensure that they're protecting sensitive card holder data, they have also looked for ways to adopt technologies that help them to both better protect that data in a more efficient, flexible and effective manner, and so encryption is certainly one of the solutions that a number of merchants have looked to in order to further eliminate data in their environment, to better protect any data that they may be storing and to ultimately devalue it in the event that they're compromised so that the hacker is only able to obtain devalued data that they won't be able to reuse for fraud or to commit fraud. And yes, we've heard a notable amount of demand for encryption services.
Actually, we put out our own Visa encryption and tokenization best practices going back to the fall of 2010, and since that point we've really seen a ramp-up in merchant and processor adoption of encryption and tokenization solutions. We view that our solution's going to be another alternative that merchants and processors can consider and that it will look to continue to adopt encryption solutions to better minimize the data that's in their environment, to reduce the footprint of data and to further help them comply with the PCI DSS standard.
KITTEN: Some of the highlights that Visa has noted about this new end-to-end encryption offer is that the impact on existing processing systems will be minimal. And you've touched a little bit on this and that is merchants and acquirers can decide how they want to deploy the encryption within unique environments. Can you elaborate on how this deployment works and how merchants and acquirers have choices as far as the deployment is concerned?
PEREZ: In terms of how the deployment is going to occur, we're still working through the technical elements of our solution and we're going to be reaching out to key processors and merchants over the course of the next several months as we continue to refine this service offering, but ultimately we expect that our service is going to have a minimal impact to payment processing systems, both for acquirers and merchants and thus merchants and acquirers are going to be able to adopt our solution with ease because of the minimal impact to their existing systems.
To make the transition as easy as possible, we'll be offering, in addition to our encryption service, a format preserving option for merchants that need to retain that data and have systems that will continue to rely on a 16-digit number that they need to populate, and so we're going to enable merchants to integrate point-to-point encryption using a 16-digit encrypted value within their current systems that will be format-preserving; but it won't actually be the same account. It will be where the six middle digits are ultimately either left out or they're going to be switched with alternate numbers and essentially it would be encrypted for those six digits in the middle of the transaction just to get very specific.
Ultimately, we view that our offering is going based on a consistent open standard. It follows the guidelines the PCI Security Standards Council has put out in terms of the solutions and the requirements that they should meet and that merchants should consider as they choose their encryption solutions. We plan to have our solution validated by a qualified assessor before it's launched in the spring of 2013. We believe that this solution is going to be flexible, efficient and it will be a validated solution by an independent third party when we bring it to market and merchants and processors can have confidence that the solution that we're going to provide is secure.
KITTEN: Before we close, can you tell our audience how they can get more information about this service as well as any additional points that you would like to highlight?
PEREZ: I would encourage them to send any questions or comments to Visa directly at P2PE@Visa.com for more information.
We view our point-to-point encryption and encryption solutions in general as being complimentary EMV chip technology that we're also currently promoting for the U.S. marketplace and other markets within Visa Inc., and emphasize that encryption is another offering that we believe meets the three key pillars of our authentication strategy which aims to improve payment industry security by eliminating account data wherever possible, protecting sensitive information wherever it may be stored, processed or transmitted, and that over the long run we focus on devaluing stolen account information through the use of dynamic authentication solutions like EMV chip technology. Certainly this service that we're bringing to market meets all of those pillars of our authentication strategy and so we believe that it will further help merchants, acquirers and processors to both better protect data and to minimize the impact in the event of a compromise.