Visa announced a new service, Visa Merchant Data Secure with Point-to-Point Encryption, to help acquirers and their merchants protect payment card data.
Visa will make the service available to acquirers and their merchants by early 2013. Visa is currently working with acquirers, processors and payment technology vendors to provide specifications for integrating Visa’s solution into payment terminals as well as into all critical systems across the payment processing industry.
Point-to-point encryption (P2PE) technology helps merchants and acquirers protect payment card data within their systems by encrypting sensitive cardholder information. Because the card data can only be accessed, or unscrambled, with decryption keys held securely by the acquirer, gateway or Visa, cardholder information is protected within the payment processing environment.
“Merchants large and small have expressed an interest in encryption as a way to protect cardholder data in their payment systems and simplify their security protocols,” said Ellen Richey, Chief Enterprise Risk Officer, Visa Inc. “Since encrypted data can’t be used to commit fraud, Visa’s point-to-point encryption solution can significantly reduce the risk and impact of data compromises.”
This solution is part of Visa’s broader authentication strategy which aims to improve payment industry security by eliminating account data from the payment environment whenever possible, protecting sensitive information wherever it is stored, processed or transmitted, and devaluing stolen account information through dynamic authentication solutions such as EMV chip technology.
P2PE technology is complementary to EMV chip technology, by providing an added layer of protection against the threat of data breaches, especially as the industry works to reach critical mass in the adoption of chip terminals and chip cards to benefit from EMV’s defense against counterfeit fraud.
Visa Merchant Data Secure with Point-to-Point Encryption addresses several key merchant and acquirer concerns about encryption:
Minimal impact to payment processing systems. Merchants and acquirers can adopt point-to-point encryption with ease because of the minimal impact to existing payment systems. To make the transition as easy as possible, Visa will also offer a “format preserving” option, enabling merchants to integrate point-to-point encryption using a 16-digit encrypted value with their current systems.
Consistent, open encryption standard. Visa’s encryption solution relies on the same Triple Data Encryption Standard (TDES) and Derived Unique Key per Transaction (DUKPT) key management that are used to encrypt PINs today. This provides a consistent framework for managing keys and minimizes the impact of merchant system updates.
Multi-zone encryption. Visa’s solution allows for encryption and decryption in multiple zones, providing merchants and acquirers flexibility in how to deploy encryption within their unique environments. Multi-zone encryption can facilitate routing to multiple endpoints, if the merchant is using multiple processors, consistent with how PIN encryption is managed today.