Cryptographic Assurance Services LLC (CAS), a leader in cryptographic compliance consulting, was asked to evaluate Format-Preserving Encryption™ (FPE) as a mode of the Advanced Encryption Standard (AES). CAS evaluated the mathematical model on which it was based and the associated proofs of security. CAS also reviewed a source-code instantiation of FPE provided by Voltage Security. CAS identified applicable compliance regimes and assessed FPE against them.

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by the PCI Security Standards Council (SSC) to encourage and enhance cardholder data security and facilitate the global adoption of consistent data security measures globally.

The VISA Best Practices—Data Field Encryption guideline was developed by Visa to enhance overall data security in the payment industry, to further the development of data field encryption, and to assist merchants in evaluating the new encryption solutions emerging in the marketplace.

CAS noted the large body of cryptographic research on which FPE is based (i.e., decades) and the strength of the mathematical proofs and cryptanalysis. CAS concluded that FPE as implemented in the form of the AES mode FFX3 meets the compliance criteria for PCI DSS v1.2 encryption requirements and for Visa's Data Field Encryption requirements, making Voltage Security's SecureData Format-Preserving Encryption products suitable for use by organizations needing to comply. AES mode FFSEM is a sub mode of AES mode FFX and included in this assessment.FFX, especially for fields generally requiring protection in the financial services industry (e.g., PAN, SSAN, and authentication data) is more secure than three-key 3DES4 (in any mode) and more secure than AES-128 in ECB mode.

Please complete the form below to view the report: