Inside the Briefcase

Augmented Reality Analytics: Transforming Data Visualization

Augmented Reality Analytics: Transforming Data Visualization

Tweet Augmented reality is transforming how data is visualized...

ITBriefcase.net Membership!

ITBriefcase.net Membership!

Tweet Register as an ITBriefcase.net member to unlock exclusive...

Women in Tech Boston

Women in Tech Boston

Hear from an industry analyst and a Fortinet customer...

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

In this interview, JumpCloud’s Antoine Jebara, co-founder and GM...

Tips And Tricks On Getting The Most Out of VPN Services

Tips And Tricks On Getting The Most Out of VPN Services

In the wake of restrictions in access to certain...

Protecting Card Data: Going the Extra Mile for Security

December 18, 2014 No Comments

Featured article by Dave Oder, President and CEO, Shift4 Corporation

Credit-Card-Security

IT professionals working for merchant organizations face specific security and compliance requirements beyond those of other industries. For instance, the Payment Card Industry Data Security Standard (PCI DSS) has established scores of requirements to ensure a consistent framework for payment card data security in a merchant’s environment. Though merchants are required to comply with these standards, compliance in itself does not make for a complete security strategy.

Because PCI DSS is the industry standard, some merchant organizations assume they have all the security they need when they are deemed compliant. This assumption is dangerous and can result in stolen payment card data and a black mark on the scorecard of public opinion and consumer confidence, not to mention steep fines. The recent wave of high-profile data breaches provides ample evidence of the need for a more strategic approach to security. Security measures must surpass the basics of compliance, moving beyond a ‘moment in time’ assessment. As any IT executive knows, security does not happen once a year – it must be a daily consideration.

Tokenization and P2PE

Merchants are required to be PCI compliant, but a strategic approach to security does not end there. Perhaps the greatest weakness of the PCI standards is that they focus on keeping cardholder data safe within the merchant’s environment. In order to be more secure, merchants’ security teams must remove sensitive data from their environment altogether – because cybercriminals can’t steal what you don’t have.

To prevent cardholder data from getting past the point of swipe and into the merchant environment, security teams can implement a combined tokenization and point-to-point encryption (P2PE) solution. This approach shrinks the card data environment down to just a P2PE-enabled swipe device, all sensitive payment data in the merchant environment is essentially eliminated. Suddenly, thieves have nothing to steal, and business can continue without the fear of an impending, brand-damaging data breach.

PCI does not mandate the use of tokenization or P2PE technologies, but using these technologies will not only meet, but may exceed several security requirements of the PCI DSS. Removing sensitive cardholder data from the merchant environment and instead housing it in a purpose-built, secure offsite data center results in a PCI scope reduction that benefits the merchant both in terms of time and money. Ultimately, PCI compliance is not enough to secure a merchant’s operations. Security beyond compliance is vital to protecting customers’ sensitive data and a merchant’s brand integrity.

Adding EMV to the Security Landscape

The U.S. is the last major market in the world to adopt the technology known as EMV, which is another piece of the security puzzle. Global credit card brands Europay, MasterCard and Visa partnered nearly two decades ago to create EMVCo, an organization dedicated to bringing chip (smart) cards to the payments industry. EMV cards are equipped with embedded computer chips that help to authenticate the cards when they are presented for payment. The card brands and major banks behind EMV have been very vocal in promoting the technology as a solution to massive retail data breaches like the ones we’ve seen in the past year – capitalizing on the industry’s heightened fear to advance their own agenda.

As a result, an EMV “liability shift date” is approaching. The card brands have agreed that after October 2015, any organization that does not support EMV technology will become financially liable for any credit card fraud that could have been prevented were EMV in use. This has the potential to shift billions of dollars of fraud losses away from the major banks and credit card companies and onto the shoulders of merchants. In exchange for accepting EMV cards, so the thinking goes, merchants will be protected from the next wave of data breaches.

Unfortunately, this is a major exaggeration of EMV’s security capabilities. While EMV will help prevent fraudsters from using stolen card data in stores, it does not stop card numbers from being stolen in the first place. EMV also does nothing to prevent e-commerce fraud. And ultimately, EMV does not remove cardholder data from the merchant environment. Just like PCI compliance, EMV is only a part of the solution, not the solution itself.

A Four-Pronged Approach

Both EMV and PCI compliance are important components of protecting the merchant environment, but security measures must exceed these requirements to make a complete security solution. Therefore, a strategic security plan must take into account and secure every cardholder data touch point within a merchant’s environment. IT security teams should deploy a comprehensive tokenization solution that renders card data useless to cybercriminals, reducing the likelihood of data theft. In addition, they should implement P2PE to prevent card data from ever entering their environment in the first place. These four elements together will create an effective security strategy that criminals will find almost impossible to breach.

Dave-Oder_6x4_Web

J. David Oder, president/CEO, Shift4:  Dave is a hands-on manager who enjoys jumping into projects alongside his technical staff. An accomplished businessman, Dave has more than 35 years’ experience in software development and accounting, spent mainly on overseeing software companies. Prior to founding Shift4, he was CEO of the Aerus Corporation, a pioneer of business accounting software, and owner of a successful consulting firm. Dave earned his Bachelor’s degree in Business/Accounting and Master’s degree in Computer Science as well as an MBA from University of California, Los Angeles.

 

Leave a Reply

(required)

(required)


ADVERTISEMENT

Gartner

WomeninTech