PCI Compliance Doesn't Have To Be Painful - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Analytics
02:08 PM
Connect Directly

PCI Compliance Doesn't Have To Be Painful

Two technologies--end-to-end encryption and tokenization--may go a long way toward protecting credit-card data.

Security pros have a love-hate relationship with PCI. On one hand, the standard compels management to invest in security and mandates operational best practices. Failure to toe the line can result in fines and penalties, including increased costs for credit card transactions. Visa, MasterCard, and other card brands could go so far as to revoke a company's right to process cards, effectively killing the business.

Such consequences get noticed by executives. "We have a security operation because of PCI," says Bob Kemp, manager of IT security for Sheetz, a chain of gas stations and convenience stores. Sheetz is a Level 1 merchant, which means it processes at least 6 million credit card transactions every year. As such, Sheetz is required by PCI to be assessed by a third-party entity called a Qualified Security Assessor, or QSA, to ensure it complies with the standard.

But on the other hand, security pros also have beefs with the standard. At the top of the list is the notion of safe harbor--or the lack of it. While PCI is mostly sticks, one carrot for merchants is that the card brands can't fine them if they're breached, provided the merchants were compliant at the time of the breach. This safe harbor is offered as an incentive to promote compliance. Visa's Web site includes this statement: "Visa may waive fines in the event of a data compromise if there is no evidence of noncompliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach."

The key phrase is "full compliance at all times." On the surface, that's reasonable, until you understand that an company is technically compliant only at the time of the assessment. Once the QSA leaves, the company's status falls into a zone of uncertainty.

Two technologies--end-to-end encryption and tokenization--may go a long way toward protecting card data and ending this uncertainty. As we'll discuss in detail in our full report, available free for a limited time at information week.com/analytics/pciupdate, several large card processors offer, or will soon offer, devices that can encrypt card data at the point of sale.

For instance, Merchant Warehouse offers encrypted card readers, which the company says are being used in about 1,000 locations. The system can also return tokens rather than card data to merchants and retailers, which can be used for common transaction requirements such as voiding or refunding a purchase. In 2009, payment processor First Data announced Secure Transaction Management, a service that encrypts card data at the PoS application and sends it to First Data to be decrypted. And Heartland Payment Systems will soon launch E3, a program for point-to-point encryption and tokenization. The processor is offering PoS terminals that have a hardware-based encryption module from Thales.

Shifting liability is a key selling point of end-to-end encryption and tokenization. If these technologies can reduce the scope of PCI and lower the risk of card data being stolen at the retailer's site, widespread adoption is virtually assured. And that's good for all of us.


1. Depth of knowledge:Ensure the vendor can demonstrateits products adhere to PCI guidelines.

2. Level of commitment:You could end up locked in to the payment processor that provides your encryption or tokenization service. Can you live with that?

3. Hard trumps soft:Systems that encrypt card data at the point of swipe using a hardware module are superior to point-of-sale terminals that perform encryption using only software.

4. Ask for assurance:Therearemany potential points of failure.Shoddy key management,places in the processing chain whereencrypted data is decrypted and re-encrypted,caches of clear-text card data outside your boundaries.Get audit results.

5. Don't get complacent: Adopting end-to-end encryption and tokenization won't magically make you PCI compliant. Any business process that demands card data in the clear should raise a red flag.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll