Merchant Account Guide > Merchant Account News > Visa releases data encryption best practices
Visa releases data encryption best practices
By Pam Gaulin
Not securing credit card information while it's in transit and storing consumer credit card information equal risky business. Visa has published a list of best practice recommendations in an effort to simplify and standardize merchant requirements and compliance mandates set forth by the Payment Card Industry (or PCI) Security Standards Council. According to a PricewaterhouseCoopers Report, end-to-end encryption technology, also known as data field encryption according to Visa, holds the key to more secure transactions.
PCI DSS compliance
Visa published its best practice recommendations as a complement to the PCI Data Security Standard (PCI DSS) requirements, and these are not meant to replace those requirements, according to Visa. PCI standards cover three main components of credit card processing, which merchants need to follow. These are:
- Secure collection and storage of data - At the swipe point, merchants need to identify and collect cardholder data in a secure manner. Merchants need to fix any security vulnerabilities in their systems. Storage of credit card data is also covered by PCI standards. Merchants may only store the primary account number (PAN), the credit card expiration date, the name on the account and the service code, according to the PCI. The PCI advises that if you don't need the data, don't store it. Merchants are not allowed to store any data that makes up the sensitive authentication data, including magnetic stripe data and credit card validation code, once the transaction has been processed. Storing this information makes the data vulnerable.
- Reporting - PCI standards mandate that merchants need to submit compliance reports to banks and to the credit card brands where their merchant accounts are held, including American Express, Discover, MasterCard and Visa.
- Monitoring - PCI standards compliance is not a one-time task. Compliance is an on-going process for merchants.
- Firewalls - In Visa's best-practices report, it is recommended to secure data from end to end, from the point of encryption, on the merchant end, to the point of decryption. Practical approaches include building and maintaining a firewall as part of a secure network.
- Using transaction identifiers- Another security goal recommended by Visa's report is to use a transaction identifier to encrypt transmission of the cardholder data while in transit. Credit card data is the most vulnerable to being breached while it's in transit, and by encrypting it, any data intercepted would not be usable.
- Accounting for the human element - Troy Leach, chief technology officer of the PCI Council, recognizes that people are also involved in the process, and technology is only part of the solution. In any environment where a person will be handling the credit card, including at merchant point-of-sale (POS) terminals, further security measures need to be in place.
The PCI recommends that merchants implement an information and security policy that covers a clear policy for employees. Companies with merchant accounts should only allow employee access to credit card data on a need-to-know basis, and they should assign each employee a unique ID to better track and control transactions and data access.
Compliance is required, and the credit card companies are within their rights to levy hefty fines against merchants and banks that are not complying with PCI DSS. In addition to fines, merchants who do not comply put themselves at risk of having their merchant relationship with a credit company severed. Losing the ability to process credit card transaction is a costly price to pay, considering "credit cards are responsible for more than $2.5 trillion in transactions."
The PCI DSS categorizes the types of merchants that must comply, based in part on the number of monthly transactions.
Each credit card company also has its own program for compliance, which may be checked here:
Article by Pam Gaulin
Published: December 10, 2009
Comments or Questions, Library of Stories