Visa Releases Global Data Encryption Best Practices

Paves way for industry standards; Implementation enhances card data security 


SAN FRANCISCO, Oct. 5 /PRNewswire-FirstCall/ -- Visa Inc. (NYSE: V) today
announced global industry best practices for data field encryption, also known
as end-to-end encryption. The best practices are designed to further the
payment industry's efforts to develop a common, open standard while providing
guidance to encryption vendors and early adopters. Data field encryption
protects card information from the swipe to the acquirer processor with no
need for the merchant to process or transmit card data in the "clear."


"While no single technology will completely solve for fraud, data field
encryption can be an effective security layer to render cardholder data
useless to criminals in the event of a merchant data breach," said Eduardo
Perez, global head of data security, Visa Inc. "Using encryption as one
component of a comprehensive data security program can enhance a merchant's
security by eliminating any clear text data either in storage or in flight,"
he added.


In addition to issuing encryption best practices, Visa has led efforts to
develop a much needed industry data field encryption standard as chair of the
ANSI X9F6 standards working group.  Establishing industry wide standards are
essential for ensuring that emerging encryption solutions are open, consistent
and enable merchant choice. X9 is the ANSI accredited committee for financial
services that is focused on "standardization for facilitating banking
operations." Membership includes financial institutions, vendors, insurance
companies, associations, retailers and regulators.


"Given the interest expressed by merchants and processors, guidance from the
card brands is a critical determinant in figuring out how to move ahead with
encrypting data in transit, especially absent a global standard," said Avivah
Litan, Vice President and Distinguished Analyst, Gartner Inc. "Companies
should also be aware that if data is decrypted anywhere in their system, they
are still at risk for a data breach."


Visa's best practices are designed to help organizations:
    --  Limit cleartext availability of cardholder data and sensitive
        authentication data to the point of encryption and the point of
        decryption.
    --  Use robust key management solutions consistent with international
and/or
        regional standards.
    --  Use key-lengths and cryptographic algorithms consistent with
        international and/or regional standards.
    --  Protect devices used to perform cryptographic operations against
        physical/logical compromises.

    --  Use an alternate account or transaction identifier for business
        processes that requires the primary account number to be utilized
after
        authorization, such as processing of recurring payments, customer
        loyalty programs or fraud management.



It's important to note that sensitive authentication data such as full
contents of the magnetic strip, CVV2, PIN/PIN block should not be used for any
purpose other than payment authorization and may not be stored after
authorization, even if encrypted.


While data field encryption applies after the card is swiped and throughout
the merchant's environment, encryption solutions between acquirer processors
and Visa would further reduce the value of card data to criminals. Visa
accepts encrypted transaction data from acquirers, third-party processors and
merchants directly connected to VisaNet. Visa has offered an authorization and
settlement encryption solution since early 2008, and the service is available
to direct connect clients.


"Investing in data field encryption is valuable, but should be understood as a
complement rather than a replacement for PCI DSS compliance, which remains the
best protection against a data compromise," Perez concluded.


About Visa Inc.: Visa Inc. operates the world's largest retail electronic
payments network providing processing services and payment product platforms.
This includes consumer credit, debit, prepaid and commercial payments, which
are offered under the Visa, Visa Electron, Interlink and PLUS brands. Visa
enjoys unsurpassed acceptance around the world, and Visa/PLUS is one of the
world's largest global ATM networks, offering cash access in local currency in
more than 200 countries and territories. For more information, visit
www.corporate.visa.com.


Link to Visa Best Practices, Data Field Encryption Version
1.0:http://corporate.visa.com/_media/best-practices.pdf






SOURCE  Visa Inc.

Sandra Chu of Visa Inc., +1-415-932-2564, globalmedia@visa.com; or Jay
Hopkins, CRC Public Relations, for Visa Inc., +1-703.683.5004 ext. 107,
jhopkins@crcpublicrelations.com