English   Deutsch   Русский   中文    

Your token to VISA...

Aug 04, 2010 by Sebastian Rohr

The recently published document on protecting credit card data during processing and storage with tokenization technology has gathered quite a bit of response (see for yourself http://usa.visa.com/download/merchants/tokenization_best_practices.pdf). As others like Mr. McMillon of RSA said before (http://www.rsa.com/blog/blog_entry.aspx?id=1687), it is an overall good approach - and my very recent experience with CC data processing in outsourcing environments proves to me that solutions for this are in great demand. Besides the "nit-picking" (please excuse, we are totally on the same page here!) about calling encrypted CC data a "token" (which it is NOT...), there are some issues about the general approach shown by VISA. First, it is absolutely positive to see any progress and innovation around securing payment methods and payment processing, either at the PoS or online (and there are nice solutions for both environments readily available in the market, such as nuBridges offering, for example). Second, it is advisable to contribute to standardization and commonly accepted methods - isn't it? Well, it looks like VISA - with all due respect for their effort to make this world a safer place! - has failed to get broad 3rd party support (such as e.g. funnelling this through the PCS DSS commitees or having it openly reviewed by experts) . It remains a mystery (at least to me) why VISA chose to spearhead this alone. The overall feedback received from experts around the world is a mixed bag of "well thought, but has major weaknesses". Thus, it is definitely worth a look if you have a need for securing CC data in your systems and guidance is needed on how to define certain aspects. On the other hand, it is advisable to compare the VISA best practices with what the "other" stakeholders such as Mastercard, Diners, Amex and the like may add or edit. From my personal perspective I applaud the advances made by this project but I clearly dislike the fact, that VISA did this on their own, effectively putting an extra burden on banks, merchants and all others dealing with CC data to harmonize with deviating requirements that may be published by other companies. I sincerely hope that the payment card industry does not fall into a "deny-all" mode but instead that a revised version with support from industry organizations such a the PCI DSS council is made public any time soon. Until then, I recommend reading, understanding and cross-checking the VISA best practices for tokenization with the extensive feedback already available from industry experts around the globe. The time for protecting CC data and other PII is definitely NOW, and good tokenization can help to reduce the leakage of such information!

Google+

top
Author info

Sebastian Rohr
Profile | All posts
KuppingerCole Blog
By:
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
Register now
Spotlight
Internet of Things
It is its scale and interoperability that fundamentally differentiate the Internet of Things from existing isolated networks of various embedded devices. And this scale is truly massive. Extrapolating the new fashion of making each and every device connected, it is estimated that by 2020, the number of “things” in the world will surpass 200 billion and the IoT market will be worth nearly $9 trillion.
KuppingerCole EXTEND
KC EXTEND shows how the integration of new external partners and clients in your IAM can be done while at the same time the support of the operational business is ensured.
Links
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on Google+

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing

 GenericIAM
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2015 KuppingerCole