Retailers reeled from a devastating 1-2 punch during the first quarter of 2009: an unprecedented data breach and the worsening of a historic economic recession. I cover these topics extensively in a story on our site, but here are a few highlights worth noting about cardholder data (CHD) and PCI compliance.
The Heartland Payments Systems data breach has put PCI compliance and cardholder data security in a state of flux, leading to a congressional subcommittee hearing and calls for changes to PCI compliance regulations. The fact is, most retailers would prefer not to store cardholder data on their POS systems but must under PCI DSS rules.
An alternative approach that’s gaining momentum — as a result of recent breaches and what’s seen as the overly complex nature of PCI compliance — is tokenization. This process collects and stores sensitive CHD in a centrally secure and PCI-compliant repository, assigns a token to reference each transaction, and replaces the CHD in all points of entry and point of sale payment applications with this token.
“Tokenization is not a magic bullet, but it is helpful as a way to centralize card (and other confidential) data,” PCI Knowledge Base founder Dave Taylor e-mailed me. “The technology has the same type of impact as outsourcing card processing — simply reducing the volume of data with fraud potential and the number of places it’s stored. There is a ‘central point of failure’ risk, but the overall impact is a reduction in risk and compliance costs.” Taylor says there are roughly six companies involved in tokenization now, with that number to double possibly by the end of summer.
Shift4, a developer of enterprise payment solutions, offers a tokenization process that goes one step farther. 4Go SecureSuite sits in front of the POS application and produces a token that is passed to the POS system. As a result, the POS system doesn’t handle real card information, only tokens, which cannot be decrypted and are therefore useless to anyone outside of the system.
“The next wave of security discussions will be about new solutions that intercept the data before it enters the POS system,” Shift4 VP of marketing Randy Carr noted in an e-mail to me. “If the data is not there, it can’t be stolen.”