In many data security discussions in the past year, end-to-end encryption has been on the top of the list of emerging technologies that businesses are considering to enhance their own data security.
End-to-end encryption, or data field encryption, is generating a lot of interest because it protects card data from the swipe to the acquirer processor – all without merchants having to process or transmit data in the clear. In practical terms, that means that even if a hacker succeeded in penetrating a merchant’s payment system environment, either for face-to-face or online transactions, cardholder data would be rendered unreadable to the thief.
Given that half of all known cardholder data compromises in 2008 targeted hotels and restaurants, it is not surprising that the hospitality industry is taking a close look at technology that can render cardholder data useless to criminals.
Data field encryption can represent an effective security layer by eliminating any clear text cardholder data either in storage or in transit, but there are important issues to consider when determining if data field encryption is the right choice for each business. Any data field encryption solution must be implemented properly to be effective. With industry standards for data field encryption still in the development phase, that goal can be particularly challenging.
In an effort to enhance overall data security in the payment industry and to further the development of data field encryption, Visa recently developed and published information, found at www.visa.com/cisp, on best practices for data field encryption. As businesses consider potential data field encryption solutions in the market today, these best practices provide some guidance on what key elements are important to evaluate.
It’s important to note that sensitive authentication data, such as full contents of the magnetic stripe, CVV2 and PIN data, must never be used for any purpose other than payment authorization and may not be stored after authorization, even if encrypted.
While encryption can be a valuable security layer, no single technology can completely address all security concerns – there is no silver bullet. Each business in the hospitality industry must evaluate for itself whether deploying data field encryption is a cost-effective complement to their Payment Card Industry Data Security Standard (PCI DSS) compliance program, which remains the best protection against a payment card data compromise.
Jennifer Fischer, CISSP, has been with Visa Inc. since 2001 and currently leads the U.S. Payment System Risk Group. In this role, she has direct line responsibility for executing Visa acquirer and issuer risk programs and data security initiatives geared toward reducing risk throughout the payment system.
©2010 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.