This is page 2 of:
Visa’s Retail Token Advice Of Token Value
Peabody’s overall take on the Visa report is that while the document was not especially informative, it was at least a start, albeit a very tentative and vague start.
“The only thing that is significant is that this is the first step by the issuing team to weigh in on encryption at all,” Peabody said. “That team has been utterly silent throughout.”
Avivah Litan, one of Gartner’s top security analysts, said she found the document’s significance to be “in what it doesn’t say. It doesn’t say anything [specific] about encryption. It does say ‘use industry standards.’ That’s what’s so significant: It doesn’t say anything.”
The emphasis on supporting industry standards could be seen as a criticism of some of the proprietary approaches. But that’s a hard argument to make given that all of the vendor approaches will have to add on their own value-add, which by definition means there will be some proprietary elements involved.
“The Verifone approach is proprietary and Voltage is not a standard yet, so that is significant,” Litan said, adding that none of the vendor approaches has been “blessed by any standards body yet. [Visa] is not giving its blessing. It’s ‘use at your own risk.'”
One footnote in the report, although not providing any new information, did detail a concrete Visa guideline that is not especially well known: “Two key TDES (112-bits) should not process more than 1 million transactions. In cases where the number of transactions potentially processed through the system using a single 112-bits TDES key greatly exceeds 1 million, three key TDES (168-bits) or AES should be used. Note that key management schemes that greatly limit the number of transactions processed by a single key, such as Derived Unique Key Per Transaction (DUKPT) can be used to ensure that any individual key is used only a limited number of times.”
-Marc
October 8th, 2009 at 12:34 pm
The best practices for data field encryption announced by Visa work toward developing a standard approach while offering guidance to payment solution providers. As Schuman points out, the document rehashed conventional wisdom and long-standing Visa and PCI best practices. However, there is definite value in the fact that Visa is actually weighing in and looking to provide some guidance. The five key implementation objectives outlined in the document provide some validation to tokenization approaches that are currently in production. Likewise, their stance that no single technology can completely solve for fraud has merit. Existing solutions that use both end-to-end encryption to encrypt card data from the point of sale, and tokenization on the back end of the transaction support their stance.
October 11th, 2009 at 5:11 am
Does VISA realize that lawsuits are coming and psychologists don’t get sued? I believe both of the following almost contradictory statements:
1. Customer submitted credit cards are radioactive and they need to be immediately encrypted as they are swiped.
2. Data centers that store data-at-rest can be designed to automatically identify and block breach attempts. Database encryption and the associated key management headaches are unnecessary.
Michael Cherry, Cherry Biometrics Inc.
Vice Chair, Digital Technology Committee
National Association of Criminal Defense Lawyers