Comments on: Visa’s Retail Token Advice Of Token Value http://storefrontbacktalk.com/securityfraud/visas-retail-token-advice-of-token-value/ Techniques, Tools and Tirades about Retail Technology and E-Commerce Wed, 08 Feb 2012 16:02:40 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Michael Cherry http://storefrontbacktalk.com/securityfraud/visas-retail-token-advice-of-token-value/comment-page-1/#comment-64040 Michael Cherry Sun, 11 Oct 2009 09:11:45 +0000 http://www.storefrontbacktalk.com/?p=3956#comment-64040 Does VISA realize that lawsuits are coming and psychologists don’t get sued? I believe both of the following almost contradictory statements: 1. Customer submitted credit cards are radioactive and they need to be immediately encrypted as they are swiped. 2. Data centers that store data-at-rest can be designed to automatically identify and block breach attempts. Database encryption and the associated key management headaches are unnecessary. Michael Cherry, Cherry Biometrics Inc. Vice Chair, Digital Technology Committee National Association of Criminal Defense Lawyers Does VISA realize that lawsuits are coming and psychologists don’t get sued? I believe both of the following almost contradictory statements:
1. Customer submitted credit cards are radioactive and they need to be immediately encrypted as they are swiped.
2. Data centers that store data-at-rest can be designed to automatically identify and block breach attempts. Database encryption and the associated key management headaches are unnecessary.

Michael Cherry, Cherry Biometrics Inc.
Vice Chair, Digital Technology Committee
National Association of Criminal Defense Lawyers

]]> By: Steven Kendus http://storefrontbacktalk.com/securityfraud/visas-retail-token-advice-of-token-value/comment-page-1/#comment-64031 Steven Kendus Thu, 08 Oct 2009 16:34:56 +0000 http://www.storefrontbacktalk.com/?p=3956#comment-64031 The best practices for data field encryption announced by Visa work toward developing a standard approach while offering guidance to payment solution providers. As Schuman points out, the document rehashed conventional wisdom and long-standing Visa and PCI best practices. However, there is definite value in the fact that Visa is actually weighing in and looking to provide some guidance. The five key implementation objectives outlined in the document provide some validation to tokenization approaches that are currently in production. Likewise, their stance that no single technology can completely solve for fraud has merit. Existing solutions that use both end-to-end encryption to encrypt card data from the point of sale, and tokenization on the back end of the transaction support their stance. The best practices for data field encryption announced by Visa work toward developing a standard approach while offering guidance to payment solution providers. As Schuman points out, the document rehashed conventional wisdom and long-standing Visa and PCI best practices. However, there is definite value in the fact that Visa is actually weighing in and looking to provide some guidance. The five key implementation objectives outlined in the document provide some validation to tokenization approaches that are currently in production. Likewise, their stance that no single technology can completely solve for fraud has merit. Existing solutions that use both end-to-end encryption to encrypt card data from the point of sale, and tokenization on the back end of the transaction support their stance.

]]>