Visa to Launch Encryption Service to Help Protect Sensitive Cardholder Data and Improve Merchant Security

SAN FRANCISCO, Aug. 21, 2012 /PRNewswire/ -- Visa Inc. (NYSE: V) today announced a new service, Visa Merchant Data Secure with Point-to-Point Encryption, to help acquirers and their merchants protect payment card data. Visa will make the service available to acquirers and their merchants by early 2013. Visa is currently working with acquirers, processors and payment technology vendors to provide specifications for integrating Visa's solution into payment terminals as well as into all critical systems across the payment processing industry.

Point-to-point encryption (P2PE) technology helps merchants and acquirers protect payment card data within their systems by encrypting sensitive cardholder information. Because the card data can only be accessed, or unscrambled, with decryption keys held securely by the acquirer, gateway or Visa, cardholder information is protected within the payment processing environment.

"Merchants large and small have expressed an interest in encryption as a way to protect cardholder data in their payment systems and simplify their security protocols," said Ellen Richey, Chief Enterprise Risk Officer, Visa Inc. "Since encrypted data can't be used to commit fraud, Visa's point-to-point encryption solution can significantly reduce the risk and impact of data compromises."

This solution is part of Visa's broader authentication strategy which aims to improve payment industry security by eliminating account data from the payment environment whenever possible, protecting sensitive information wherever it is stored, processed or transmitted, and devaluing stolen account information through dynamic authentication solutions such as EMV chip technology. P2PE technology is complementary to EMV chip technology, by providing an added layer of protection against the threat of data breaches, especially as the industry works to reach critical mass in the adoption of chip terminals and chip cards to benefit from EMV's defense against counterfeit fraud.

"With Visa's global processing reach and capabilities, we are able to provide an encryption solution that meets the needs of merchants and acquirers who want ease of implementation, flexibility, and effective protection," said Darren Parslow, Global Head of Processing, Visa Inc. "Working in concert, multiple layers of security including point-to-point encryption can help take merchants out of harm's way while mitigating fraud throughout the payment system."

Visa Merchant Data Secure with Point-to-Point Encryption addresses several key merchant and acquirer concerns about encryption:

• Minimal impact to payment processing systems. Merchants and acquirers can adopt point-to-point encryption with ease because of the minimal impact to existing payment systems. To make the transition as easy as possible, Visa will also offer a "format preserving" option, enabling merchants to integrate point-to-point encryption using a 16-digit encrypted value with their current systems.
• Consistent, open encryption standard. Visa's encryption solution relies on the same Triple Data Encryption Standard (TDES) and Derived Unique Key per Transaction (DUKPT) key management that are used to encrypt PINs today. This provides a consistent framework for managing keys and minimizes the impact of merchant system updates.
• Multi-zone encryption. Visa's solution allows for encryption and decryption in multiple zones, providing merchants and acquirers flexibility in how to deploy encryption within their unique environments. Multi-zone encryption can facilitate routing to multiple endpoints, if the merchant is using multiple processors, consistent with how PIN encryption is managed today.

In 2009, Visa developed global industry best practices for encryption to provide guidance to encryption vendors and early adopters. Visa's encryption service is designed to meet Visa best practices as well as the PCI Security Standards Council's P2PE Solution Requirements for reducing the scope of PCI compliance requirements. Visa expects to validate the P2PE service against the PCI requirements by the time it is available to merchants.

Over the coming months, Visa will provide specifications and implementation guides through technical review agreements. Payment technology vendors with PCI P2PE-enabled systems that are interested in supporting the Visa P2PE service should contact [email protected] for more information.

About Visa Inc.: Visa Inc. is a global payments technology company that connects consumers, businesses, financial institutions and governments in more than 200 countries and territories to fast, secure and reliable digital currency. Underpinning digital currency is one of the world's most advanced processing networks—VisaNet—that is capable of handling more than 20,000 transaction messages a second, with fraud protection for consumers and guaranteed payment for merchants. Visa is not a bank and does not issue cards, extend credit or set rates and fees for consumers. Visa's innovations, however, enable its financial institution customers to offer consumers more choices: pay now with debit, ahead of time with prepaid or later with credit products. For more information, visit www.corporate.visa.com.

SOURCE Visa Inc.