At the end of August, Visa revealed its plans to introduce a new point-to-point encryption ((P2PE) service called Visa Merchant Data Secure. The service – which will be made available at the beginning of 2013 – will aim at securing payment terminals and other critical systems across the industry.
The P2PE technology will allow merchants to protect sensitive cardholder information by encrypting data within the payment processing environment. The encryption keys will be guarded by Visa, the gateway, or the company that acquires the service.
"Merchants large and small have expressed an interest in encryption as a way to protect cardholder data in their payment systems and simplify their security protocols," Ellen Richey, chief enterprise risk officer at Visa, explained when the service was announced.
"Since encrypted data can't be used to commit fraud, Visa's point-to-point encryption solution can significantly reduce the risk and impact of data compromises."
According to Eduardo Perez of the Visa Risk Group, the new service is not required yet, but it is “one of the tenets of the PCI Data Security Standard.”
In a recent interview, Perez revealed that the main goal was to continue to encourage organizations to adopt the more secure EMV (Europay, MasterCard, Visa) standard and rely more on dynamic authentications.
The new encryption solution might represent the answer to the issues highlighted a few days ago by University of Cambridge researchers. They discovered the fact that the unpredictable number (UN) used by EMV cards to authenticate themselves was somewhat predictable.
They found a pattern in the way many ATMs and point-of-sales (POS) devices generated the “random” part of the UN. Because manufacturers of these devices are taking shortcuts, EMV card holders might become exposed.
Their theory might explain some of the phantom withdrawals that some cardholders have reported.