PCI's not enough: Breach prevention needs chips and tokens
Many of the worst data breaches in history had nothing to do with a failure to be PCI compliant; they resulted from weaknesses in the payment security infrastructure.
While PCI compliance is necessary and useful, it’s not always sufficient to be fully secure. To counter this, independent software vendors (ISVs) must adopt a layered security approach that uses EMV, encryption technology and tokenization in addition to keeping up with PCI compliance requirements. This is the only way for ISVs to ensure complete protection for themselves and their clients.
In addition to PCI compliance, the three additional, and essential, components of layered security are:
EMV technology. This prevents counterfeit card fraud for card-present transactions with chip technology. However, it cannot protect card data in card-not-present environments like e-commerce websites.
Encryption technology. This protects card data in flight at the point of sale for card-present transactions when cards are swiped, dipped, or keyed into an encrypted device.
Tokenization. This allows businesses to limit their exposure to sensitive card data by storing a randomly generated code called a token instead of cardholder data. In the case of a breach, a token is worthless to a fraudster. This is a benefit for businesses that need to store card data on file, but it only protects information at rest. It leaves data vulnerable at the point of sale, which is why it should be used along with encryption and EMV technology.
On their own, each of these security technologies partially protects data along its payment processing journey. Together, they protect sensitive card data through the entire multistep payment process. By using these technologies together, ISVs can protect themselves and their merchants from expensive and devastating data breaches.
These additional layers of protection for clients mean extra work for ISVs that must ensure they are up to speed with all options and regulations. This is not something any software vendor particularly welcomes. It’s costly in time, effort and resources. As a result, many take shortcuts. Most of the industry is simply not ready to go that far, especially when it comes to writing integrations, which is a potential source of great danger for consumers, merchants and ISVs.
This is where the advantages of partnering with a payments processor become clear, especially one that’s already gone the extra mile to validate its P2PE solution.
There are numerous encryption products on the market, but only a few offer PCI-validated point-to-point encryption (P2PE), a technology validated by the Payment Card Industry Security Standards Council. P2PE encrypts sensitive card data in flight and is considered the gold standard for encryption services. A P2PE credit card terminal can encrypt card data once the card is swiped or dipped, and that data remains encrypted until it reaches a safe decryption environment.
The advantage to using a PCI-validated solution is that it’s been vetted by the standards council. This means it stays relatively fixed as PCI-validated P2PE only expires after a few years. Consequently, ISVs should not need to take multiple runs at an integration every time PCI changes.
This contributes to a time- and cost-saving benefit (also including a vastly shorter self-assessment questionnaire and the ability to forgo vulnerability scans) that can be passed directly to merchants.
Full PCI compliance is not a one-time event; it’s an ongoing process that involves a great deal of time, effort and resources. Reviews happen annually, and requirements change over time, meaning a company never stops working toward compliance — the metaphorical finish line keeps moving further away.
If an ISV were to consider taking on the PCI burden alone, it would be condemned to dedicating its resources to simply staying in place instead of innovating and serving its customers. The cost can be upward of half a million dollars when factoring in labor, technology and auditing. This is money that could be better invested into the software's core solution. Furthermore, the cost of a data breach can easily move into millions of dollars, including legal fees, brand damages and customer loss. Both sets of circumstances are enough to threaten an ISV’s very existence.
The centerpiece of an ISV’s efforts should continue to be PCI scope reduction. This diminishes the onerous requirements of PCI compliance by redirecting confidential customer data to a PCI-compliant processor, effectively removing the burden of card data security from the software (and reducing PCI scope for the software vendor). But remember: While PCI compliance is necessary, it’s not always sufficient to be fully secure.
Handling money and data will always be a warlike situation. There are enemies on all sides, the way forward is seldom clear, and the battleground is in a constant state of flux. Data breach protection is not a place for ISVs to go it alone. They have their strengths and market niches, but it becomes all too easy to lose sight of major strategic gaps. The speed of today’s market does not offer time for a second chance.