By: Dave Oder, President and CEO, Shift4 Corporation
Due to the ongoing efforts of cyber criminals to steal personal financial information, the Payment Card Industry (PCI) Council has created a comprehensive Data Security Standard (known as PCI DSS) with the aim of protecting merchants and cardholders. Merchants certainly should adhere to these requirements in order to attain the “PCI compliant” designation, but there is far more to transaction security than this designation.
Though PCI compliance is important, it can lull merchants into complacency, and complacency is never a good thing in business. Much more is required for a well-rounded security plan than simply ticking off the check boxes of an annual PCI-compliance assessment. The string of recent security breaches involving major brands should serve as a stark reminder that complacency in the face of ever-more-sophisticated threats can lead to brand disaster and lost revenue.
Passing the yearly PCI assessment is no guarantee against security breaches. Security measures must surpass the basics of compliance, moving beyond a ‘moment in time’ assessment. As any security-minded merchant will understand, security does not happen once a year – it must be a daily consideration.
Remove Sensitive Data to Improve Security
One of the largest challenges with PCI’s requirements is that their goal is to keep cardholder data safe in a merchant’s environment. I like to compare this to trying to protect a princess in a castle. The princess may be guarded by the king’s strongest men, and the walls fortified and the moat deepened, but a persistent attacker will lay siege to the castle and eventually find a way in.
Contrast this with a much simpler solution: simply taking the princess out of the castle and hiding her away in a safe location. The same holds true for payment card data. In order to be fully protected from hackers and criminals, merchants must remove sensitive data from their environment altogether. After all, they can’t steal what you don’t have.
This can be done with a combination of two existing technologies, tokenization and point-to-point encryption (P2PE). When properly implemented, these solutions combine to prevent cardholder data from ever passing the swipe device where customers present their cards for payment. By shrinking the card data environment down to a swipe device, all sensitive payment data in the environment is essentially eliminated. Suddenly, thieves have nothing to steal, and business can continue without fear of an impending, brand-damaging data breach.
The added benefit of using these technologies is that they may significantly reduce the scope of a merchant’s annual PCI DSS assessment. PCI’s security assessors will find their jobs much easier if all merchants did away with onsite storage and processing of sensitive payment data. But again, it is not PCI-compliance that should be our main focus. Security beyond compliance is vital to the protection of customers’ sensitive data and a merchant’s brand integrity.
EMV: A “New” Factor in the Security Equation
The newest card data security tool in merchants’ quivers (at least in the U.S.) is a technology called EMV. Global credit card brands Europay, MasterCard and Visa partnered nearly two decades ago to create EMVCo, an organization dedicated to bringing chip cards(smart cards) to the payments industry. This technology has made headlines recently in the U.S., the last major market in the world to adopt the technology. EMV cards are equipped with embedded computer chips that help to authenticate the cards when they are presented for payment. The card brands and major banks behind EMV have become increasingly vocal in promoting the technology as a solution to massive retail data breaches like the ones we’ve seen in the past year – capitalizing on the industry’s heightened fear to advance their own agenda.
The EMV “liability shift” date is less than a year away, set by the card brands as
October 2015. Essentially, that means that after October of 2015, any organization that does not support EMV technology will become financially liable for credit card fraud that could have been prevented if EMV had been in use. This has the potential to shift billions of dollars of fraud losses away from the major banks and credit card companies and onto the shoulders of merchants. In exchange, they claim, merchants will be protected from the next wave of data breaches. Unfortunately, this is a major exaggeration of EMV’s security capabilities.
While EMV will help prevent fraudsters from using stolen card data in stores, it does not stop card numbers from being stolen in the first place. EMV also does nothing to prevent e-commerce fraud. Just like PCI compliance, EMV is only a small part of the solution, not the solution itself.
When Compliance Isn’t Enough
When it comes to secure payments, there is no magical panacea. PCI compliance and EMV are important, but they must be considered components of a larger card data security strategy. This strategy must speak to every point at which cardholder data exists within the merchant environment. Merchants should add a comprehensive tokenization approach and encryption at the swipe to their arsenal alongside EMV and PCI compliance. Tokenization prevents long-term storage of card data, and P2PE encodes card data as soon as it enters the merchant environment. All these approaches taken together will make data theft next to impossible and EMV will render any data that is stolen very difficult to use. To overcome today’s cyber criminals, merchants must go beyond mere compliance in order to truly safeguard payment card data.