Healthcare // Analytics
News
5/20/2010
01:20 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

PCI Compliance Doesn't Have To Be Painful

Two technologies--end-to-end encryption and tokenization--may go a long way toward protecting credit-card data.

Security pros have a love-hate relationship with PCI. On one hand, the standard compels management to invest in security and mandates operational best practices. Failure to toe the line can result in fines and penalties, including increased costs for credit card transactions.

Visa, MasterCard, and other card brands could go so far as to revoke a company's right to process cards, effectively killing the business.

Such consequences get noticed by executives. "We have a security operation because of PCI," says Bob Kemp, manager of IT security for Sheetz, a chain of gas stations and convenience stores. Sheetz is a Level 1 merchant, which means it processes at least 6 million credit card transactions every year. As such, Sheetz is required by PCI to be assessed by a third-party entity called a Qualified Security Assessor, or QSA, to ensure it complies with the standard.

But on the other hand, security pros also have beefs with the standard. At the top of the list is the notion of safe harbor--or the lack of it. While PCI is mostly sticks, one carrot for merchants is that the card brands can't fine them if they're breached, provided the merchants were compliant at the time of the breach.

This safe harbor is offered as an incentive to promote compliance. Visa's Web site includes this statement: "Visa may waive fines in the event of a data compromise if there is no evidence of noncompliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach."

DIG DEEPER
Ready to Outsmart PCI? New Techs Help IT Comply
The key phrase is "full compliance at all times." On the surface, that's reasonable, until you understand that an company is technically compliant only at the time of the assessment. Once the QSA leaves, the company's status falls into a zone of uncertainty.

Two technologies--end-to-end encryption and tokenization--may go a long way toward protecting card data and ending this uncertainty. As we'll discuss in detail in our full report, available free for a limited time at information week.com/analytics/pciupdate, several large card processors offer, or will soon offer, devices that can encrypt card data at the point of sale.


InformationWeek: May 24, 2010 Issue To read the rest of the article, download a free PDF of InformationWeek magazine
(registration required)

Comment  | 
Print  | 
More Insights
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Big Love for Big Data? The Remedy for Healthcare Quality Improvements
Healthcare data is nothing new, but yet, why do healthcare improvements from quantifiable data seem almost rare today? Healthcare administrators have a wealth of data accessible to them but aren't sure how much of that data is usable or even correct.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.