⚠ We would appreciate if you would disable your ad blocker when visiting our site! ⚠

Encryption: The New Buzzword in Data Security

Order a reprint of this story
Close (X)

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.


March 01, 2010
Credit Card | Security
Jennifer Fischer, CISSP

View Magazine Version of This Article

In many data security discussions in the past year, end-to-end encryption has been on the top of the list of emerging technologies that businesses are considering to enhance their own data security.

End-to-end encryption, or data field encryption, is generating a lot of interest because it protects card data from the swipe to the acquirer processor – all without merchants having to process or transmit data in the clear. In practical terms, that means that even if a hacker succeeded in penetrating a merchant’s payment system environment, either for face-to-face or online transactions, cardholder data would be rendered unreadable to the thief.

Given that half of all known cardholder data compromises in 2008 targeted hotels and restaurants, it is not surprising that the hospitality industry is taking a close look at technology that can render cardholder data useless to criminals.

Data field encryption can represent an effective security layer by eliminating any clear text cardholder data either in storage or in transit, but there are important issues to consider when determining if data field encryption is the right choice for each business. Any data field encryption solution must be implemented properly to be effective. With industry standards for data field encryption still in the development phase, that goal can be particularly challenging.

In an effort to enhance overall data security in the payment industry and to further the development of data field encryption, Visa recently developed and published information, found at www.visa.com/cisp, on best practices for data field encryption. As businesses consider potential data field encryption solutions in the market today, these best practices provide some guidance on what key elements are important to evaluate.

It’s important to note that sensitive authentication data, such as full contents of the magnetic stripe, CVV2 and PIN data, must never be used for any purpose other than payment authorization and may not be stored after authorization, even if encrypted.

While encryption can be a valuable security layer, no single technology can completely address all security concerns – there is no silver bullet. Each business in the hospitality industry must evaluate for itself whether deploying data field encryption is a cost-effective complement to their Payment Card Industry Data Security Standard (PCI DSS) compliance program, which remains the best protection against a payment card data compromise.

Jennifer Fischer, CISSP, has been with Visa Inc. since 2001 and currently leads the U.S. Payment System Risk Group. In this role, she has direct line responsibility for executing Visa acquirer and issuer risk programs and data security initiatives geared toward reducing risk throughout the payment system.

©2010 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.



Best Practices for Data Field Encryption

  1. Limit clear text availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption.
  2. Use robust key management solutions consistent with international and/or regional standards.
  3. Use key-lengths and cryptographic algorithms consistent with international and/or regional standards.
  4. Protect devices used to perform cryptographic operations against physical/logical compromises.
  5. Use an alternate account or transaction identifier for processes that require the primary account number to be used after authorization, such as processing recurring payments, loyalty programs or fraud management.

want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.