This story appears in the May 2009 issue of Cards&Payments.
On March 31, critics and defenders of the Payment Card Industry Data Security Standard had their say before Congress. That is when they testified before the U.S. House Committee on Homeland Security's subcommittee on emerging threats, cybersecurity and science and technology.
One of the fundamental issues covered in the testimony before the subcommittee was whether PCI is up to the task of preventing security threats. Our view, based on more than 350 hours of anonymous interviews with merchants, banks, card processors and many other players in the payments industry, is it is not.
To give credit to PCI, the standard is far more effective at securing confidential data than such government-driven efforts as the Health Insurance Portability and Accountability Act and Sarbanes-Oxley rules. But no standard or law can prevent data breaches.
The recent breaches at Heartland Payment Systems and RBS WorldPay have helped launch what we at the PCI Knowledge Base call the "beyond-PCI movement." Some view the movement as the need to apply additional security to protect confidential data. Others consider this mantra an attempt to differentiate their products and services with the simplistic question, "Are you PCI-compliant?"
We believe it could be useful to define some dimensions of "beyond PCI" and suggest some strategies that may be worth consideration.
One beyond-PCI effort, tokenization, seeks to remove card data from the retail environment as soon as possible and substitute account numbers with "fake," or one-time, numbers that have no intrinsic market value. A year ago, when we began our research on the topic, there were only three tokenization options. By the end of 2009, we expect at least 30 payment processors and technology providers will be offering programs that fall into this category.
Differentiation can be achieved through broadly supported token schemes that can work throughout the payment-processing cycle and increased integration with enterprise applications beyond the point of sale.
The PCI standard sets guidelines for the use of dozens of different hardware, operating-system, networking and application technologies. But, like any technically detailed standard, it will fall behind the evolution of technology.
Server virtualization, which is the use of software to create functionally specific environments, is among dozens of newer technologies that affect data security that are not mentioned in the standard. That lack of mention prompts many companies to resist deploying virtualization and other potential cost-saving technologies in the cardholder environment.
The best strategy for any firm considering deploying within the cardholder environment a technology or application that is not on the list is to have a PCI assessor review the implementation. But the quality of these assessments varies, creating another quandary for companies striving to remain compliant by keeping card data secure.
One of the most difficult things to justify when it comes to data security is treating some confidential data differently from other confidential data. But that is what PCI requires. It is a rigorous and costly set of data-security controls applied to only a few card-data elements, including primary account number, card-verification value and track data stored on magnetic stripes.
However, every company collects and retains other confidential data, such as U.S. Social Security numbers and noncard account numbers, that are not subject to PCI and are not protected with the same rigor as credit card data.
A scheme to classify such data that need to be protected, whether under PCI or other rules, should drive any enterprise strategy. This is difficult to implement and enforce, but it is easier to manage long term because it forces discipline when it comes to data management that is valuable for controlling access to information, identifying and responding to threats, and for forensic analysis.
Bottom line: Organizations seeking to develop data-security strategies that go beyond PCI controls have a lot of options. But they must be explicit in their use of the term and define a plan and justifiable budget for anything that is not explicitly mandated by the PCI standard. CP
David Taylor is founder of PCI Knowledge Base. He can be reached at david.taylor@knowPCI.com.