End-to-end encryption would encrypt debit and credit card data through the retailers part of the payments process from the terminal where the customer swipes the card through to when it arrives at the merchant's card processor to move further along the payment chain.
The card brand said the new standards will do the following:
Limit clear text availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption.
Use robust key management solutions consistent with international and/or regional standards.
Use key-lengths and cryptographic algorithms consistent with international and/or regional standards.
Protect devices used to perform cryptographic operations against physical/logical compromises.
Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.
"While no single technology will completely solve for fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach," said Eduardo Perez, global head of data security at Visa Inc. "Using encryption as one component of a comprehensive data security program can enhance a merchant's security by eliminating any clear text data either in storage or in flight." he added.
"Given the interest expressed by merchants and processors, guidance from the card brands is a critical determinant in figuring out how to move ahead with encrypting data in transit, especially absent a global standard," said Avivah Litan, vice president at Gartner Inc. "Companies should also be aware that if data is decrypted anywhere in their system, they are still at risk for a data breach."
Data security experts were generally pleased but cool to the announcement. Steve Ruwe, chief risk officer for PSCU Financial Services, a payment processing CUSO for more than 500 credit unions, expressed for the record similar sentiments to other data security executives.
"Overall, I think is a very positive move," Ruwe said, "but there are limits to what it can do. There has been encryption in PCI for years, but a lot of merchants are still resisting PCI. Will the same folks who resisted PCI now be eager to adopt a best practice?"
But Jennifer Fischer, senior business leader in Visa's risk area, said that many retailers are looking for the sort of long-term solution to the card risk issues that they can start to implement.
"The best practices are going to be most useful to retailers who have the means and desire to protect data moving across their own proprietary networks," Fischer said, pointing out that was an area not covered by the industry's card security standards.
Heartland Suits Rolled Into One
The lawsuits brought by financial institutions, at least five of them credit unions, seeking to recover losses incurred because of the Heartland Data Systems card security breach have been rolled into one suit.
Heartland suffered what has been estimated to be the largest card security data breach in U.S. history in 2008. News of the breach became public in January 2009.
Judge Lee Rosenthal of the U.S. District Court for the Southern District of Texas will hear the case, which consolidates similar cases from around the country.
In their amended complaint, the plaintiff financial institutions alleged that Heartland misrepresented the degree of its card security.
"Leading up to the data breach, Heartland publicly touted its 'multiple layers of security to isolate our databases from unauthorized access,' represented that it placed 'significant emphasis on maintaining a high level of security in order to protect the information of our merchants and their customers,'" the institutions alleged in their complaint. "[Heartland] touted its 'state-of-the-art' security measures and facilities and claimed to 'limit sharing of nonpublic personal information to that necessary to complete the transactions on behalf of the consumer and the merchant and [to the extent permitted by law].'"
All the while, Heartland's systems were compromised and any merchants who signed on because of these assurances wound up handing their customers' card data to thieves, the plaintiffs argued. The credit union plaintiffs in the consolidated suit are Matadors Community Credit Union, in Chatsworth, Calif.; Elevations Credit Union, Boulder, Colo.; PBC Credit Union, West Palm Beach, Fla.; O Bee Credit Union, Tumwater, Wash.; Seabord Federal Credit Union, Bucksport, Maine; and Pennsylvania State Employees Credit Union, Harrisburg.