PCI COMPLIANCE: What you Don’t Know CAN Hurt You
To some people, the idea of crime against merchants seems like the latest Clint Eastwood movie, but the more modern day characterization is the exploitation of customer’s sensitive payment card account data. With this data, hackers can unlock direct access to money and personal identities. Damage can be swift and it’s getting worse before it gets better.
According to Databreaches.net, 2009 was the year of the “Mega Data Breach.” the number of personal records that were exposed -- data like Social Security numbers, medical records and credit card information tied to an individual -- that hackers got access to skyrocketed to 220 million records in 2009, compared with 35 million in 2008. That represents the largest collection of lost data on record. At the same time, the average cost per compromised customer record rose to $204 in 2009 from $202 in 2008, according to Ponemon Institute LLC.
Luckily, there’s a clear path of action for businesses that can help prevent the compromise of payment card data called the Payment Card Industry Data Security Standard (PCI DSS), which provides guidelines to keep sensitive cardholder data safe from exploitation. Compliance is mandatory for any merchant or business that transmits, processes or stores payment card data. The PCI DSS has undoubtedly made a significant improvement to the security of cardholder account numbers and other sensitive information within the payment card infrastructure.
However, complying with PCI DSS should not be considered a silver bullet for protecting information and battling fraud. Consider that many of the companies victimized by data breaches in the past several years were found to be PCI-compliant prior to the breach. When the breach occurred, however, they had unwittingly fallen out of compliance. This puts companies at risk for a breach or an audit resulting in hefty fines that could bring them to their knees. Unfortunately, most find out the hard way.
The lesson learned? It’s what merchants don’t know that could end up hurting them along with their business. But there are solutions out there to help merchants stay compliant with less effort. For example, companies can choose to outsource their company data via a tokenization technology to nearly eliminate in some cases, the requirements necessary for a merchant to be PCI DSS compliant. As recent research from industry analyst firm Aberdeen Group attests, “the use of tokenization is strongly correlated with the achievement of Best-in-Class results.”
So what is tokenization? The bottom line is that tokenization is a technology that leapfrogs traditional end-to-end encryption.Think of it this way: end-to-end encryption is water resistant; tokenization is water proof. When merchants implement an outsourced tokenization solution, sensitive data is removed from enterprise systems and the technology is complimentary to legacy systems.
This technology works by intercepting cardholder data entered into an enterprise payment acceptance system like a Web store, CRM, ERP or POS, and replacing it with a surrogate number known as a “token”, a unique ID created to replace the data associated with a specific card number.
Utilizing tokenization to help with a company’s PCI compliance offers the following two key benefits:
- Security: Implementing tokenization via a Software as a Service (SaaS) model ensures no customer card data resides within company systems. By eliminating the storage of sensitive cardholder data, merchants can realize a multitude of security advantages over traditional enterprise encryption solutions.
- Cost effectiveness: A tokenization solution requires minimal upfront capital expenditure and it saves on the back-end by preventing costly breaches. According to Gartner Group, a company with 100,000 customer accounts spends $6 per account to roll out encryption appliances. A separate encryption solution is required for each place where credit card data is stored. In a large enterprise there can easily be 10 or 20 systems. In contrast, by transferring all card holder data out of your systems, a company eliminates capital expenditures. It’s a simple premise: the less data there is onsite the less it costs to keep it secure.
In short, being PCI compliant isn’t something that merchants should take for granted. It’s too easy to fall out of compliance and not know it, leaving your systems open to ill-will hackers. But with the right tokenization technology, companies can spend less time on compliance and feel confident in the security of their card holder data, taking a merchant beyond PCI Compliance…helping executives sleep better at night.
About Larry Wine
Mr. Wine is an electronic payments industry subject matter expert with more than 20 years of top-level, global executive leadership experience. As President and CEO of Paymetric, Inc., Mr. Wine is responsible for increasing stakeholder value through strategic, operational, financial and resource excellence. In his first year with the company, Mr. Wine spearheaded a new strategic vision that positioned Paymetric as the global leader in integrated and secure ePayment processing for ERP systems. He has successfully led the transformation of Paymetric’s business model from a licensed payment integration software company to a Software-as-a-Service ePayment processing company. Prior to joining Paymetric, Mr. Wine was President and CEO of RBS Lynk, where he was responsible for the strategic leadership and executive management of the U.S. acquiring business.
Mr. Wine is an electronic payments industry subject matter expert with more than 20 years of top-level, global executive leadership experience. As President and CEO of Paymetric, Inc., Mr. Wine is responsible for increasing stakeholder value through strategic, operational, financial and resource excellence. In his first year with the company, Mr. Wine spearheaded a new strategic vision that positioned Paymetric as the global leader in integrated and secure ePayment processing for ERP systems. He has successfully led the transformation of Paymetric’s business model from a licensed payment integration software company to a Software-as-a-Service ePayment processing company. Prior to joining Paymetric, Mr. Wine was President and CEO of RBS Lynk, where he was responsible for the strategic leadership and executive management of the U.S. acquiring business.
About Paymetric
Paymetric, Inc. is the leading provider of integrated and secure electronic payment acceptance solutions that enable companies to streamline the order-to-cash process, reduce the scope and financial burden of achieving PCI compliance and improve return on electronic payment acceptance. Paymetric’s solutions support virtually every type of electronic payment in any enterprise system where payment is accepted. Paymetric is recognized as an industry leader and is a three-time award-winning SAP certified partner. Visit www.paymetric.com for additional information.
Paymetric, Inc. is the leading provider of integrated and secure electronic payment acceptance solutions that enable companies to streamline the order-to-cash process, reduce the scope and financial burden of achieving PCI compliance and improve return on electronic payment acceptance. Paymetric’s solutions support virtually every type of electronic payment in any enterprise system where payment is accepted. Paymetric is recognized as an industry leader and is a three-time award-winning SAP certified partner. Visit www.paymetric.com for additional information.
Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!
