One of the most talked about vulnerabilities in the processing of card payments is the fact that much of the data involved is stored in encrypted form, but transmitted from point to point “in the clear,” or in readable form. Despite some highly publicized data breaches involving interception of data in transit, encryption of flowing card information is still the exfception, rather than the rule.
That may be about to change, with the arrival of Visa Inc. into the encryption game. Visa announced on Tuesday that it will offer a point-to-point encryption system to merchants, acquirers and processors, beginning next year.
Visa says its offering, which will compete with solutions offered by a number of other vendors, will have minimal impact to payment processing systems, will offer a “format preserving” option, enabling merchants to integrate point-to-point encryption using a 16-digit encrypted value with their current systems, and will use a consistent, open encryption standard, relying on the same Triple Data Encryption Standard (TDES) and Derived Unique Key per Transaction (DUKPT) key management that are used to encrypt PINs today. Visa’s solution also allows for encryption and decryption in multiple zones, providing merchants and acquirers flexibility in how to deploy encryption within their unique environments.
The system also will be validated against PCI DSS standards before its release.