On July 14, 2010 Visa released version 1.0 of their Tokenization best practices document. This follows up previous publications on data field encryption. The release is brief, but provides several interesting data points that Merchants, Providers, and Practitioners should consider.
Visa breaks down Token systems into 4 Unique Components:
- Token Generation
- Token Mapping
- Card Data Vault
- Crytographic key Management
A broad set of best practices are highlighted throughout the rest of the document and well worth a review (Here is the direct link to the PDF). A few specific items that were interesting:
- The Tokenization system must be segmented and “be subject to a full PCI DSS assessment” – note this does not say QSA audit, but rather implies a confirmatory action by the owner of the system.
- Monitoring suggests a need to “detect malfunctions or anomalies and suspicious activities”, which are far more fraud focused. In addition there is mention of rate limiting functions, which would be beneficial beyond the token-PAN mapping environment
- The Token must be so designed to “not be computationally feasible” to recover original PAN. A token may be created using EITHER a “known strong cryptographic algorithm” or a “one-way irreversible function”
This publication is meant to provide high level guidance, and Visa is seeking any comments by August 31, 2010 (send messages to firstname.lastname@example.org w/ “Best Practices for Tokenization” in the subject). In previous publications Visa has issued more granular publications following these high level documents, so feedback and comment is important.
James DeLuccia IV
Posted in Compliance
Tagged 2010, best practices, Compliance, fpe, it compliance and controls, IT Controls, pci, PCI DSS, Security, token, token generator, tokenization, visa
This month (March 2010) Visa Europe released a full guidance document on Data Field Encryption: Device and Key Management Guidance. This relates directly to “end-to-end” encryption, “point-to-point” encryption or “account data” encryption and the process of securing transaction data in transit and in storage. This has been a critical focus of the payment card community. A nice article highlighting the benefits of this guidance document and endorsements by major organizations in Europe can be found here.
Simply put though, the guidance provides 71 pages of excellent specific data on what these technologies should be doing at minimum. This provides operators and auditors with a tool to compare equally the unique solutions being deployed globally, and a common baseline of control safeguards.
The full guidance document may be downloaded here. A direct link to the PDF is here.
Please note this is focused on Visa Europe.
Thoughts and concerns with this guidance and / or the technology?
According to an article and conference held in Cairo a Visa representative gave some new light into the costs related to fraud for businesses in the payment industry.
““It is estimated that each individual case of fraud costs an organization $15,000 on average,” said Elhousseiny. “
Now we don’t know what is included in this figure, but it is likely to be a far better number then the speculative numbers posted by pundits like myself and others.
Lesson remains – be PCI compliant, have true security, and be mindful of your customers data – without them you will go bankrupt.
Update: selenakyle provided some interesting clarification / challenges:
- Is this figure associated with compromised Merchants?
- Is this the average cost of a single Fraud / Fraud-Ring / by Consumer account?
- Are these figures solely for AIS or the region in total?
James DeLuccia IV