Digital Transactions Authoritative, insightful and timely information for payments professionals
Point-to-point encryption of card data has been a hot sell for merchant processors and vendors of security technology ever since the Payment Card Industry data-security standard (PCI) took effect in 2006 and especially after a spate of high-profile data breaches at merchants and processors not long afterward. Visa Inc., the world’s largest payment card network, had offered best practices and advice to merchants about data protection, but not an actual P2P encryption service that masks cardholder data between when a card is swiped at a point-of-sale terminal and when it is decoded by the issuer. That changed Tuesday when Visa introduced a service dubbed Visa Merchant Data Secure with Point-to-Point Encryption.
The service is just the latest component in Visa’s long-term plan to enhance the security of card data while it nudges the U.S. toward the so-called EMV chip card and away from the fraud-prone magnetic stripe. Visa insists that its new service will not directly compete with existing P2P encryption offerings from First Data Corp., Heartland Payment Systems Inc., Trustwave Holdings Inc., and other acquirers, processors, and vendors. “We view this as another complementary service that we’re providing to the marketplace,” Eduardo Perez, head of Americas risk at Visa, tells Digital Transactions News.
Some acquirers and merchants may choose Visa to fill all of their encryption needs, while others, depending on their specific industries and requirements, might use Visa for just part of the job, Perez notes. “Some entities will want a single solution, others will want options,” he says.
In fact, Visa is recruiting processors and others to distribute its encryption service, which the network expects to be available in early 2013. Pricing has not yet been decided.
The service is software-based and will leverage the process Visa already uses to encrypt personal identification numbers so they’re not being transmitted in the clear and vulnerable to being seen by hackers. When the card is swiped, the service would also encrypt the primary account number (PAN), the three-digit security code (Card Verification Value or CVV2) printed on the back of the card, and the expiration date. Card data can be unscrambled with decryption keys held by the acquirer, gateway, or Visa.
P2P encryption can make a merchant’s task in meeting the PCI standards less onerous. Visa said its offering will cause little disruption to existing processing systems and uses the Triple Data Encryption Standard (TDES or 3DES) and Derived Unique Key per Transaction (DUKPT) technology already in wide use to encrypt PINs. Most merchants would not have to invest in new hardware to use Visa Merchant Data Secure or even have a PIN pad, as long as the software running their POS terminals is upgradeable and they have a tamper-resistant terminal as required by the PCI standards, according to Visa. The service could be added during routine upgrades or key injections, Perez says.
Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc. who researches security technology, calls Visa’s new service “very welcome news for most of the industry,” the exceptions being merchant processors such as Heartland and First Data that already have invested in their own encryption technology. “Because Visa is Visa, they will set the standard in this area, in my opinion,” she tells Digital Transactions News by e-mail. “It’s also a good thing that Visa sees the value here and is joining the fray by putting their money where their mouth is, i.e. by offering the application instead of just offering best practices and guides on how to use it.”
Spokespersons for Heartland and First Data did not respond to Digital Transactions News’ requests for comment by late Tuesday afternoon. A spokesperson for San Jose, Calif.-based point-of-sale terminal maker VeriFone, which offers encryption services under the VeriShield Protect brand, says the company can’t comment about the specifics of Visa’s new product. The spokesperson, however, says by e-mail that, “We welcome this news as it shows Visa has endorsed point-to-point encryption, based on secure tamper-resistant security modules, as a necessary component for payment systems going forward.”
The spokesperson says seven of the top 10 U.S. merchant acquirers sell VeriFone encryption services, “with more to be announced soon.” More than 80 large retailers use VeriShield Protect and more are being added weekly, he says.
Perez says Merchant Data Secure with Point-to-Point Encryption is just one component of Visa’s authentication strategy for improving U.S. card security. That plan includes migration away from the mag-stripe and toward the EMV chip card as well as an emphasis on “dynamic authentication” that relies on one-time transaction identifiers rather than static technology such as the PIN. Many merchants and acquirers, however, while agreeing about the need for better data protection, say the PIN should be part of any U.S. EMV plan.
