Sergey Nivens - Fotolia
There is a lot of discussion around improving payment card security since there have been so many breaches in the retail sector. The hot topics for improvement are tokenization and end-to-end encryption. Is it likely that PCI DSS will include them in future updates? Should my company start preparing for this move? If so, what steps should we take?
Tokenization and end-to-end encryption are both strong security technologies and play important roles in limiting the scope of PCI DSS compliance within an organization. PCI DSS does not mandate the use of these technologies and I don't expect that to become the case, but merchants who adopt them may find these technologies can ease compliance burdens.
Tokenization technology replaces sensitive information, such as a credit card number, with an otherwise meaningless value or "token" that may be stored in a database. The token typically has the same format as the data element so it remains compatible with current card processing systems. When authorizing a transaction, the merchant receives a token value from the payment gateway for that transaction. This token uniquely identifies the transaction and, when presented, allows the bank to retrieve transaction details. The merchant then stores the token in its database for future reference. The merchant does not store the actual credit card number, which reduces the amount of sensitive information stored on merchant systems. Even if an intruder steals the database contents, the token values are worthless because they cannot be used to initiate a new transaction.
End-to-end encryption goes a step further by keeping all payment card information out of merchant systems by fully encrypting the transaction chain from the swipe terminal to the bank. When a customer or employee swipes a credit card or keys it into a terminal, hardware within the terminal encrypts the card details using an encryption key known only to the payment processor. The merchant never has electronic access to sensitive information and therefore bears little responsibility for transaction security.
Both tokenization and end-to-end encryption are valuable tools in protecting sensitive payment card transactions; they're not mandated by PCI DSS compliance and probably won't be any time soon, but they worth exploring to better safeguard payment data. Expect to see their adoption continue to increase as merchants search for ways to reduce the burden of PCI DSS compliance programs.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Take a look at the pros and cons of end-to-end encryption and tokenization
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading