Visa’s P2PE service announcement
Today, Visa announced that they had joined the market trend that Voltage has pioneered in enabling end-to-end — or point-to-point — encryption for merchants and payment processors to secure payment data against breach risks. Nearly all of the top payment processors and several leading payment gateways in the US have already adopted a proven, independently analyzed solution based on a mode of AES called FFX. This approach has enabled merchants and processors to reduce risk and PCI scope by protecting sensitive data in storage, transmission, and processing.
Visa's proposed solution raises some important unanswered questions. In particular, today’s announcement makes reference to a “format preserving” option in order to minimize impact to payment processing systems. Visa’s prior submission to NIST in this area describes an algorithm with substantial limitations. This submission attempts to resurrect a stream cipher-based FPE approach that dates back to 1981, but never really caught on due to a host of problems. We have yet to see these problems addressed in working systems in the field and it is questionable whether it can be done without breaking the fundamental benefits of “format preservation.” The FFX encryption mode suffers from none of the limitations of this older approach.
In addition, in sophisticated processing environments, simple encryption of PAN data in flight is a partial solution at best. PAN data is typically stored in a number of different environments: POS systems, store controllers, payment switches, etc. The approach that Visa has submitted to NIST is simply unusable for the protection of stored data. By contrast,
the FFX encryption mode is built to allow Format-Preserving Encryption of data when being stored, transmitted, or processed.
While Visa has yet to publicly specify exactly what algorithmic mechanisms it will use within its offering, it would be unfortunate to use a less sophisticated, less functional FPE scheme than has been embraced by the industry and NIST…especially one that ignores the pervasive problem of data at rest and in use and offers no significant advantages for point-to-point encryption.