Infrastructure // Networking
News
5/22/2007
08:10 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Payment Card Data Security Costs, But Not As Much As A Data Breach

The Payment Card Industry data security standard has emerged as a primary driver of IT security spending and some serious rethinking of how data and systems are secured.

The Payment Card Industry data security standard created by Visa, MasterCard, and other payment services has emerged as a primary driver of IT security spending and some serious rethinking of how data and systems are secured. And with good reason. If the severe fines levied by Visa and its PCI partners aren't enough to persuade companies to invest in encryption, application firewalls, and other security measures, the threat of a costly and embarrassing data breach is enough to convince anyone.

"TJX is the new poster child for why PCI compliance is essential," says George Peabody, director of the emerging technologies advisory service at Mercator Advisory Group, which specializes in research and consulting for the payments industry. "Large merchants are working hard to meet the deadlines." TJX is the parent company of T.J. Maxx, Marshalls, and other retailers.

So are large credit and debit payment-processing firms such as Intuition Systems, which is trying to get out in front of the demanding PCI compliance requirement -- coming in 2008 -- that requires organizations to use application firewalls. Whereas a network firewall is more concerned with blocking malicious data traffic coming into a company's network, an application firewall provides IT shops with information about requests coming to their Web applications. "They let you know if a request is normal or a possible attack," says Intuition CIO Jean-Pierre Zaiter.

Intuition has since February been using Imperva's SecureSphere Web application firewall appliances. Zaiter found them particularly useful in protecting the various custom-made payments-processing applications Intuition has developed for its clients -- primarily merchants and retailers. "Because our customers ask for changes to these applications on a fairly frequent basis, we would have to retest each version of each application for compliance with PCI," Zaiter says.

Thus far, Intuition has spent as much as $250,000 on the hardware and software needed to achieve its own PCI compliance. This number excludes the labor costs associated with implementing the technology and the other IT projects that don't get done because PCI is such a high priority.

While it's not been proven that PCI compliance equals data security, it's clear that one of the biggest data breaches reported this year came from a company that was not PCI compliant. TJX last week announced in its first quarterly earnings statement that it took a $12 million hit, or 3 cents per share, because of the loss of more than 45 million credit and debit card numbers that were stolen from its IT systems over an 18-month period.

This fiasco almost makes Visa's fines for noncompliance -- which can be tens of thousands of dollars per month -- seem like a slap on the wrist. "Large break-ins like TJX are exactly what they're trying to prevent with PCI," Peabody says.

The cumulative pressure heaped on companies that accept and process credit and debit card payments is likely to a positive effect on data security, as it'll pressure merchants, payment issuers, acquirers, and processors to upgrade their security. PCI raises the bar for encryption, requiring compliant organizations to separate encrypted traffic from other network traffic. "We came up with a solution that was a load-balanced encryption process that moves traffic for encryption away from the rest of the network traffic," Zaiter says.

State legislators are riding the wave of data breach fears to give PCI an even sharper bite. Texas's House of Representatives last week unanimously approved a measure that would make PCI compliance a state law and force merchants and vendors that suffer a breach to reimburse banks and credit unions for costs incurred in blocking the use of compromised cards and issuing new ones if that business was not PCI compliant at the time of the breach. While some are leery of getting the government involved in enforcing an industry standard, Peabody says, "It certainly can't hurt compliance to have another source of consciousness rising out of statehouses."

Comment  | 
Print  | 
More Insights
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.