This month (March 2010) Visa Europe released a full guidance document on Data Field Encryption: Device and Key Management Guidance. This relates directly to “end-to-end” encryption, “point-to-point” encryption or “account data” encryption and the process of securing transaction data in transit and in storage. This has been a critical focus of the payment card community. A nice article highlighting the benefits of this guidance document and endorsements by major organizations in Europe can be found here.
Simply put though, the guidance provides 71 pages of excellent specific data on what these technologies should be doing at minimum. This provides operators and auditors with a tool to compare equally the unique solutions being deployed globally, and a common baseline of control safeguards.
Please note this is focused on Visa Europe.
Thoughts and concerns with this guidance and / or the technology?