FREE Subscription to Dr. Dobb’s Digest: Same Great Content, New Digital Edition
Site Archive (Complete)
ABOUT US | CONTACT | ADVERTISE | SUBSCRIBE | SOURCE CODE | NEWSLETTERS | RESOURCES | BLOGS | PODCASTS | GO PARALLEL
DrDobbs Portal Blog: Best Practices for Credit-Card Security
EDITOR'S EYE

The World of Software Development.

by Jon Erickson
October 08, 2009

Best Practices for Credit-Card Security


Visa (the credit-card people, not the immigration people) has released a set of best practices for data field encryption (a.k.a. "end-to-end encryption") entitled Data Field Encryption Version 1.0.

Data field encryption is intended to protect card information from the swipe to the acquirer processor without the merchant needing to process or transmit card data in the "clear." The end result is that cardholder data is useless to criminals in the event of a merchant data breach.

The goals of the best practices are to:

  • Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption (e.g., all cardholder data and sensitive authentication data shall be encrypted using only ANSI X9 or ISO approved encryption algorithms such as AES).
  • Use robust key management solutions consistent with international and/or regional standards (e.g., keys shall be managed per ANSI X9.24/ISO 11568 or equivalent).
  • Use key-lengths and cryptographic algorithms consistent with international and/or regional standards (e.g., encryption keys shall have the strength of at least 112 equivalent bit strength).
  • Protect devices used to perform cryptographic operations against physical/logical compromises (e.g., devices used to perform cryptographic operations should undergo independent assessment).
  • Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs, or fraud management (e.g., if any cardholder data is needed after authorization, a single-use or multi-use transaction ID or token should be used instead).

At the same time, Visa underscored its commitment to data field encryption by announcing it will chair the ANSI X9F6 standards working group to develop a data field encryption standard. ANSI X9 is the committee developing standards for the financial industry -- specifically for personal identification number (PIN) management, check processing, electronic transfer of funds, and the like. Within the committee of X9, there are subcommittees (such as X9F6).

-- Jonathan Erickson
jerickson@ddj.com

Posted by Jon Erickson at 09:30 AM  Permalink



 
INFO-LINK


| All Feeds
© 2009 TechWeb, Privacy Policy, Terms of Service, United Business Media LLC
Comments about the web site: webmaster@ddj.com