Skip to main content

News

 Login  Register for Login
Wish List (0) | Orders (0) | Basket (0)
Go Search
NACS Online > /SiteCollectionImages/navigation/news_media.gif > News


Visa Probes Tokens, Encryption for PCI Card Data Protection 
Experts agree that the use of tokens when used with end-to-end encryption at POS systems would increase security, but at what cost to retailers?

by RSS Feed
Subscribe to the RSS feed.
by Email
Subscribe to the NACS Daily e-newsletter.
Share:                          
Posted: Oct 8, 2009     Email    Print    Print ALL    Comment   

NEEDHAM, MA – Visa Inc. released a document earlier this week outlining best practices for end-to-end encryption that includes the use of tokens, SearchSecurity.com reports.

Visa said that the document is aimed at helping vendors develop a common standard while providing a safe option for data protection deployment.

“While no single technology will completely solve fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach,” said Eduardo Perez, global head of data security at Visa Inc.

The PCI Security Standards Council addressed emerging technologies at a meeting last month in Las Vegas and determined that encryption and tokenization were the top two emerging technologies deserving of attention.

Experts said that the use of tokens when used with end-to-end encryption at POS systems would help increase security. The underlying goal is to eliminate primary account number (PAN) data from merchant systems entirely.

“It’s a great technology overall, but merchants have to make sure there's no other instances of PAN data around to really get the full benefit,” said Diana Kelley, founder and partner at Security Curve, adding that the industry still has significant work to accomplish before an industry-wide standard is adopted.

Merchants could face expensive upgrades to support the new technology, with some older POS terminals unable to support encryption.

Overall, experts agree that tokenization coupled with end-to-end encryption is a promising way to buttress data security.

“In the eyes of PCI and the assessor, a token isn't necessarily considered an encrypted data item, which may make it a little easier to pass an audit that way,” said Ramon Krikken, an analyst at the Burton Group. “When you are just the average merchant trying to comply with PCI and you don't really care about the card numbers anyway, there shouldn't be a really good argument against not using [tokens] if you don't have to go out and buy new terminals.”

Click here to read more about PCI compliance from the April 2009 NACS Magazine, and be on the lookout for the November issue for new information.