Thales Blog

Formula For Success: Good IT Security + Strong Cardholder Data = PCI DSS Compliance

March 10, 2010

At Thursday’s RSA Conference Panel Protecting vulnerable data in payment systems – are we there yet?, the spotlight focused on the Payment Card Industry Data Security Standard (PCI DSS). The discussion revolved around the well-versed idea that companies need to develop strong IT security programs and protect cardholder data, after which PCI DSS compliance will naturally follow.

Bob Russo, General Manager of PCI Security Standard Council, boiled it down to: “There needs to be a mind shift from just compliance to security [since] compliance is a byproduct of good security.” And when it comes to PCI DSS, Russo added “PCI DSS is the baseline.”

Formula for success: Good IT security + strong cardholder data = PCI DSS compliance

John Sheets from Visa made it clear for merchants that protecting cardholder data cannot be viewed as merely a fire drill. Instead PCI DSS assessment should be seen as a key step to achieving security. Sheets said “Everyone needs to move away from a validation and it’s done approach. Instead, it is an ongoing process.”

Steven Elefant, Heartland Payments CTO, understands the consequences of a cardholder data breach all too well and, discussed how, Heartland has now implemented new technology to keep themselves one step ahead of criminals. Heartland’s End-to-End Encryption system, E3, uses encryption to protect data from the moment it is captured at the POS, throughout the entire processing system at Heartland. Furthermore, the system ensures that cardholder data does not remain with merchants. Instead, merchants are given a token that serves as a reference for their payment. This will help merchants store cardholder data securely. based on the latest research from The Ponemon Institute which found that Qualified Security Assessors (QSAs) report that merchants most often store cardholder data to handle chargebacks and customer service.

Formula for success: Good IT security + strong cardholder data = PCI DSS compliance

Moving on to the PCI DSS specifications, Bob Russo hinted at some of the clarifications coming in the PCI DSS update in October 2010. He identified three of the technologies which are likely to receive clarification as:

  • Chip & PIN technology
  • End-to-end encryption
  • Tokenization

However, it is clear that technology alone doesn’t stop criminals and it could be suggested that technology is merely the tool. In order to ensure that card data is adequately secured, it is essential that this tool is deployed correctly. Everyone on the panel agreed that all those involved in accepting and processing payments need to step up to the challenge of data security. If PCI DSS can help direct the focus and budget for security at management level, then this is a great step forward. However it is only actions like those being implemented by the Heartland, that will move security to the top of the financial services agenda and, in the end, help the industry prevent fraud.