A majority of qualified security professionals that assess compliance with the Payment Card Industry Data Security Standard believe encryption is the most-effective means of protecting card data, according to a study released April 27 by Thales Group and the Ponemon Institute.
Of the 155 qualified security assessors surveyed for the study, 60% regard data encryption as the most-effective method of security.
Various high-profile data breaches have occurred at companies deemed compliant with the standard, and “there is a sense that there is a difference between security and compliance,” Richard Moulds, vice president of product strategy at France-based Thales’ e-security group, tells PaymentsSource. “Just meaning you are PCI compliant doesn’t mean you are secure,” he says, noting not all merchants and organizations that handle card data appreciated that before such recent breaches as those at Heartland Payment Systems Inc. (see story) (see story).
Companies’ desire to extend their security measures beyond what is required by the PCI standards triggered some of the assessors’ interest in data encryption, says Moulds. Some organizations are beginning to think, “Maybe this stuff has merit even if it is not required by PCI,” he says.
The Payment Card Industry Security Standards Council intends to release an updated data-security standard in October, and many qualified security assessors believe the council will clarify how they should treat encrypted data in audits, says Larry Ponemon, chairman and founder of the Ponemon Institute, a Traverse City, Mich.-based research group.
“In the last couple of years, [qualified security assessors], if they can’t assure themselves that the encryption is good enough, they will rely on compensating controls,” says Ponemon. “They are important but not a full substitute for encryption.”
A compensating control is an alternative measure a merchant may take to achieve compliance with the standard if it is unable to comply with the requirements as written. Qualified security assessors must approve the control.
Without clarification regarding encryption from the council, there could be variation “that could be harmful to the quality of the [Data Security Standard] process,” he says. Some assessors may believe they can achieve security by working around encryption, and “that could be wrong. There could still be holes in the system,” Ponemon tells PaymentsSource.
The council is working on updates to three of its standards this year, including the PIN Transaction Security Standard and Payment Application Data Security Standard and the PCI Data Security Standard, says Bob Russo, the Wakefield, Mass.-based council’s general manager (see story).
So far, the global payments industry wants further clarification of information in the standards, additional guidance on security issues and clarity on how the standards will evolve, Russo says. The revised standards will respond to those requests, he says.