By: Charles Crawford
In a by-lined piece published in cio.com, well-respected security expert and author Ben Rothke wrote ââŚpeople don’t want to invest in long-term security plans. They want their security band-aid now, despite the fact they have never built security into their designs or processes.â He went on to praise the PCI Security Councilâs vision: âThe genius of the PCI DSS (and when PCI is compared to regulations such as SoX and GLBA, genius is indeed an appropriate term) is that it has sensible concepts such as an open formal feedback process, trend analysis, impact evaluation, guidance and much more built into the very fabric of the standard.â
I find myself usually agreeing with Rothkeâs well-reasoned perspectives. Indeed, it is especially easy to agree that businesses should have a culture that promotes holistic security, must not consider compliance an end unto itself, and that the processes of security must evolve ahead of the threats.
Where I take issue with Rothkeâs article, âPCI Debate Ignores Planned Improvement Cycle,â is in the apparent limitation of his perspective to traditional security remediation solutions. If the path to sufficient cardholder data security certainty can be achieved only through ratcheted, ever-more-effective and pervasive layers of encryption, firewalling, intrusion prevention and other hardening, then I suppose Rothkeâs point is well taken, albeit worrisome. What follows logically is that merchants should âman upâ and embrace a future of never ending âimprovement cyclesâ that require lots of money, effort, time and discipline (notably external discipline) in their quixotic journey toward âbreach-proofâ data.
What is taken too lightly is the role innovation already is playing. Â Â Less costly and pragmatic ways of avoiding data compromise are fast gaining acceptance as viable alternative among recession-weary merchants.
The PCI Council got it right when they set as milestone #1 of their Prioritized Approach to Pursue Standard Compliance âRemove sensitive authentication data and limit data retention.â EPX, for one, provides merchants a pre-emptive solution with exactly that purpose: total elimination of cardholder data from merchant systems so that it canât be lost or stolen.
Conventional thinking is for merchants to use matrix of remedial techniques, gambling that the data they hold will so be perfectly  sequestered and disguised it might not get compromised â at least, if everything works as planned and criminals donât get any more clever.
EPX, on the other hand, concluded that the surest way to avoid data loss is for the merchant never to have the data in the first place. Instead of keeping card data, EPX merchants operate normally using GUID transaction reference codes called BRICs.  BRICs are used as card numbers would otherwise be, for transaction receipts, customer service returns, refunds, chargeback responses, follow-on purchases and all other operational and financial purposes.  BRICs are not encryptions and not derived from credit card numbers, therefore have no street value if lost or stolen from the merchant.
For EPX, tokenization comes as no band-wagon initiative like we now are seeing from Paymentech, First Data and others. In fact, EPX started routinely processing with âreplacement values codesâ in 2001 âŚthree years before the first PCI Standards were published.  Our processes evolved over the years into the comprehensive, patent-pending suite of cardholder data security technologies we now call BuyerWallâ˘.
As the Council and many others have said, there is no âsilver bullet,â no single solution â even tokenization. We make no claim that EPX BRICs are such. Yet, properly constructed and managed tokenization also is no âband-aidâ that Rothke so wisely mocks. When the card numbers are gone, theyâre gone. Thereâs not much left for the merchant to safeguard. And, once implemented, EPX requires no extraordinary âimprovement cyclesâ or investments to maintain the security of the data. In fact, security of the data becomes a responsibility for which EPX is well prepared, since, as a processor, we have always had to take special care with data and are subject to the PCI SCCâs most rigorous compliance requirements (Level 1).
Is it so, that âpeople want theirâŚsecurity now No doubt about it. But, I say âwhy not?â Merchants deserve pragmatic solutions that can achieve even a higher standard of security without costly and cumbersome techniques that may or may not ultimately prove effective enough.
Rothke says there is genius in the PCIâs process of ever-evolving standards. I think their real genius of the Council is its professed technologic agnosticism which, generally, is supposed to allow merchants to achieve card data security with whatever technology and processes work best for them. In that spirit, merchants have more to choose from than Rothke seemed to acknowledge.
—————————–
Charles Crawford is EVP of Strategic Development for EPX
[1] http://www.cio.com/article/495093/PCI_Debate_Ignores_Planned_Improvement_Cycle?taxonomyId=3000; June 2009
EPX is a pioneer in the payments industry
January 20th, 2010Founded in 1979, Electronic Payment Exchange (EPX) is a pioneer in the payments industry. EPX commercialized many of the innovations that became industry standards.
EPX was the first payment processing organization to:
EPX is truly unique in the payments industry â it provides a straight-through, fully integrated payment processing platform, whereas its competitors offer a patchwork of limited-service providers that merchants must manage and integrate separately. EPX provides traditional, as well as Internet-related products and services, to businesses, public utilities, merchants, retailers, e-tailers, merchant acquiring banks, Independent Sales Organizations (ISOs), and third-party processors in the United States, Canada, Europe, the Middle East, Latin America and the Caribbean.
Realizing the increased focused on PCI-compliance, EPX is revolutionizing the payments industry through the development of fully integrated payment solutions that enable merchants to efficiently, securely, and cost-effectively process credit card, debit card, stored value, and ACH payments. By incorporating our patent-pending BuyerWall⢠technology into our solutions, we lead the way in helping merchants achieve PCI compliance.
EPX solutions include:
Posted in EPX Commentary, EPX News, Payments Industry News | No Comments »