PCI is Not for Dummies
It seems like everyone (including this author) today has an opinion on the value of the PCI DSS and the card brand programs. In March, 2009 Congress held hearings on the standard and there are a number of companies that make a living from the program. Regardless of people’s view of the PCI DSS, my own experience has led me to believe that something is needed to secure the data in our industry. There are basically two approaches to solving the problem of increasing data compromises.First of all,is the traditional compliance/risk management. This assumes that a merchant has the data and must therefore secure the data. This is traditional PCI compliance and risk management.The second way is which I support.I will call these ‘alternative’ compliance solutions generically. With these solutions, the value of the data is reduced or removed. While much has been written recently about end to end encryption, this is really only one approach that I would classify as one of the alternative solutions.
Some companies have made huge strides in the industry to remove the value of data. Some of these replace data in storage with abstract representations. Companies like Shift4, and MerchantLink defined these types of solutions although a number of companies have created similar solutions. These types of solutions have worked well in the complex retail environments. Encrypted magnetic stripe readers that allow data to be rendered unreadable from the point of swipe are created by MagTek and Semtek.These solutions provide huge benefits for smaller, level 4 merchants when used with virtual terminals and other technologies. Companies like TrustCommerce, and ProPay have successfully deployed these solutions to remove data from their merchants’ environments.
As we continue to move through 2009, we will continue to see solutions such as these enter the market. It is difficult to dispute that these types of solutions are needed in the industry.For those who have been active in the PCI world as either QSAs, ASVs, or other capacities, certainly traditional compliance simply does not work well in level 4 merchant environments.If you do not have the opportunity to see the alternative solutions, I would encourage you to do so. Some of the solutions will not only remove data, thus reducing your risk, they will also provide some reprieve from compliance with some of the PCI DSS requirements.
