Visa is offering a new data encryption service that could compete with third-party security vendors' offerings. The service's launch also indicates the card brand's growing desire to push beyond the requirements of the Payment Card Industry data security standards.
Visa's service, called Visa Merchant Data Secure with Point-to-Point Encryption, builds upon the infrastructure Visa already uses to encrypt PINs, Eduardo Perez, Visa's head of global security, says. This technology also will encrypt primary account numbers, card verification values and the expiration date, he says.
Visa's service is also "filling a gap that had become evident [with PCI compliance] in the last couple of years," says Gil B. Luria, an analyst and senior vice president at Wedbush Securities LLC. "We've seen that PCI standards would not be sufficient to prevent fraud. The big breaches at Heartland and Global Payments drove home that point."
Visa is marketing its system as an option — not a requirement — for merchants to use to protect card data.
"We see our service as another alternative," Perez says.
To make its service available by early next year, Visa is working with acquirers, processors and technology providers to determine how to integrate with payments terminals and other transaction systems, Perez says.
Terminal conversion would require the same logistics as other upgrades, meaning that some could switch remotely and others would need a store visit, he says.
By the time it's introduced, the service will meet PCI encryption standards and follow Visa's best practices, Perez says.
The service could compete with vendors already offering encryption services, says Avivah Litan, a vice president and analyst at Gartner Inc., a Stamford, Conn.-based research firm.
Because the service will make it easier for merchants to comply with PCI, Visa might do well to bundle it with changes need to accept EMV and Near Field Communication cards, Litan says. That way, merchants would be paying for something they want – easier PCI implementation – as well as something they may not relish – EMV and NFC acceptance, she says.
Retailers already are expressing interest in encryption, Litan says. Half of merchants in the two largest merchant categories report using encryption, she says.
Besides, it simply makes sense for Visa to get into the encryption business, Luria says.
"Visa has come to the realization that they should be the one providing the services so that it's seamless and end-to-end," Luria says.
For Visa, the service constitutes part of a broader authentication strategy aimed at improving security by eliminating account data whenever possible, protecting sensitive data wherever it is stored, processed or transmitted, and devaluing stolen account information through dynamic authentication such as EMV technology, Perez says.
The service addresses several concerns expressed by merchants and acquirers, Visa says. Visa designed the service to have minimal impact on established processing systems, use a consistent open encryption standard and allow for encryption and decryption in multiple zones, the release says.