The guidelines are based on best practices developed by Visa Europe that will help merchants and other stakeholders in the payments process to evaluate data encryption solutions. These technologies can help secure card data when it is either being stored or moved and render it useless to fraudsters in the event of a data compromise. The best practices are based on the following basic security objectives: • Cardholder and authentication data should only be available at the points of encryption and decryption • Encryption key management solutions should follow international and/or regional standards • Key lengths and cryptographic algorithms should follow international and/or regional standards • Devices used to perform cryptographic operations should be independently assessed to ensure they are protected against compromise • If cardholder data is needed after authorisation (for example when processing recurring payments, customer loyalty programmes or in fraud management), a transaction ID or token should be used instead of the data itself A recent survey by Thales found that 60 percent of Qualified Security Assessors believe encryption is the most effective means to protect card data. Similarly, an independent report in April 2009 by PricewaterhouseCoopers concluded that end-to-end encryption has the greatest potential as a solution for retailers aiming for PCI DSS compliance. While some retailers, merchants and banks have been implementing PCI DSS compliance programmes to utilise end-to-end data encryption, uncertainty around how best to adopt encryption has slowed progress. Visa Europe’s guidelines are designed to provide guidance by describing minimal security practices required to design a robust end-to-end encryption solution that can help satisfy PCI DSS compliance requirements, while reducing the cost of maintaining compliance and offering the flexibility needed to complement existing security measures. Stanley Skoglund, Senior Vice President Payment System Risk at Visa Europe, said: “While fraud remains at historically low levels, Visa Europe is committed to working with all parties in the payment system to ensure greater levels of security; and supporting those for whom technologies such as data encryption and tokenisation are suitable for. We have seen considerable innovation with respect to financial institutions and their customers wishing to strengthen their defences against data compromises.” He continued, “We and the other members of the PCI Security Standards Council have worked hard to spur the adoption of compliant systems and we view the adoption of common guidelines on end-to-end encryption as a complementary step in increasing the protection offered to retailers and consumers through PCI DSS.” www.visaeurope.com