Blog: Creating a Robust Card Data Security Strategy above and beyond PCI Compliance
By Dave Oder, Shift4 Corp.
While it’s important for merchants to comply with PCI standards, a comprehensive data security strategy requires more than PCI compliance. Merchants must move beyond a “moment in time” assessment and make security a daily consideration.
Complying with each and every requirement of the PCI DSS is no guarantee of complete protection against data breaches. One of the biggest challenges with PCI standards is that the goal is to keep cardholder data safe in a merchant’s environment. To be fully secure, however, merchants must remove sensitive data from their environments altogether. Cyberthieves can’t steal what merchants don’t have.
Enter Encryption and Tokenization
| “By shrinking the card data environment down to a P2PE-enabled swipe device, all sensitive data are essentially eliminated from the merchant environment. As a result, thieves have nothing to steal, and business can continue without fearing an impending, brand-damaging data breach.” |
Point-to-point encryption (P2PE) and tokenization solutions—although not required by PCI—provide a one-two punch against fraudsters, preventing cardholder data from ever getting past the terminal. (P2PE is a process of securely encrypting CHD from the merchant point-of-sale entry to the final card processing point. Tokenization is the process of substituting sensitive data with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value.)
By shrinking the card data environment down to a P2PE-enabled swipe device, all sensitive data are essentially eliminated from the merchant environment. As a result, thieves have nothing to steal, and business can continue without fearing an impending, brand-damaging data breach.
When merchants interweave P2PE and tokenization with EMV, they have the best possible protection against data breaches. The vast majority of retailers with P2PE in place today rely on a software-based key-management method sold by vendors that are almost all Level 1 Service Providers that meet and exceed PCI’s most stringent standards.
How EMV Changes the Game
EMV is a global standard for authenticating network branded card transactions, and the U.S. recently became the last major market in the world to begin the migration to chip card technology. The payments networks and major banks have become increasingly vocal in promoting EMV as the network liability shift nears.
As merchants make the transition to EMV, they should understand that EMV—just like PCI compliance—is only one tool in the fight against fraud. For example, EMV is great at preventing fraudsters from using stolen card data in stores, but it doesn’t stop e-commerce fraud.
A Well-Rounded Security Strategy
In the world of card data security, there’s no magic bullet. PCI compliance is a helpful step in the right direction, as are EMV-enabled cards and terminals, but they cannot prevent breaches or card data theft in and of themselves. Both belong as part of a larger security plan that takes into account every place cardholder data exist within the merchant environment.
Tokenization prevents the long-term storage of card data, and encryption encodes card data as it is swiped, further protecting sensitive data from hackers. These solutions, along with PCI compliance and EMV, form a comprehensive security system to protect data and render data useless to any cybercriminal who manages to get a hold of it.
Dave Oder is president and CEO of Shift4 Corp., a merchant payments gateway. He can be reached at [email protected].
In Blogs & Viewpoints, prepaid and emerging payments professionals share their perspectives on the industry. Paybefore endeavors to present many points of view to offer readers new insights and information. The opinions expressed are not necessarily those of Paybefore.
