By: Charles Crawford
In a by-lined piece published in cio.com, well-respected security expert and author Ben Rothke wrote “…people don’t want to invest in long-term security plans. They want their security band-aid now, despite the fact they have never built security into their designs or processes.” He went on to praise the PCI Security Council’s vision: “The genius of the PCI DSS (and when PCI is compared to regulations such as SoX and GLBA, genius is indeed an appropriate term) is that it has sensible concepts such as an open formal feedback process, trend analysis, impact evaluation, guidance and much more built into the very fabric of the standard.”
I find myself usually agreeing with Rothke’s well-reasoned perspectives. Indeed, it is especially easy to agree that businesses should have a culture that promotes holistic security, must not consider compliance an end unto itself, and that the processes of security must evolve ahead of the threats.
Where I take issue with Rothke’s article, “PCI Debate Ignores Planned Improvement Cycle,” is in the apparent limitation of his perspective to traditional security remediation solutions. If the path to sufficient cardholder data security certainty can be achieved only through ratcheted, ever-more-effective and pervasive layers of encryption, firewalling, intrusion prevention and other hardening, then I suppose Rothke’s point is well taken, albeit worrisome. What follows logically is that merchants should “man up” and embrace a future of never ending “improvement cycles” that require lots of money, effort, time and discipline (notably external discipline) in their quixotic journey toward “breach-proof” data.
What is taken too lightly is the role innovation already is playing. Less costly and pragmatic ways of avoiding data compromise are fast gaining acceptance as viable alternative among recession-weary merchants.
The PCI Council got it right when they set as milestone #1 of their Prioritized Approach to Pursue Standard Compliance “Remove sensitive authentication data and limit data retention.” EPX, for one, provides merchants a pre-emptive solution with exactly that purpose: total elimination of cardholder data from merchant systems so that it can’t be lost or stolen.
Conventional thinking is for merchants to use matrix of remedial techniques, gambling that the data they hold will so be perfectly sequestered and disguised it might not get compromised – at least, if everything works as planned and criminals don’t get any more clever.
EPX, on the other hand, concluded that the surest way to avoid data loss is for the merchant never to have the data in the first place. Instead of keeping card data, EPX merchants operate normally using GUID transaction reference codes called BRICs. BRICs are used as card numbers would otherwise be, for transaction receipts, customer service returns, refunds, chargeback responses, follow-on purchases and all other operational and financial purposes. BRICs are not encryptions and not derived from credit card numbers, therefore have no street value if lost or stolen from the merchant.
For EPX, tokenization comes as no band-wagon initiative like we now are seeing from Paymentech, First Data and others. In fact, EPX started routinely processing with “replacement values codes” in 2001 …three years before the first PCI Standards were published. Our processes evolved over the years into the comprehensive, patent-pending suite of cardholder data security technologies we now call BuyerWall™.
As the Council and many others have said, there is no “silver bullet,” no single solution – even tokenization. We make no claim that EPX BRICs are such. Yet, properly constructed and managed tokenization also is no “band-aid” that Rothke so wisely mocks. When the card numbers are gone, they’re gone. There’s not much left for the merchant to safeguard. And, once implemented, EPX requires no extraordinary “improvement cycles” or investments to maintain the security of the data. In fact, security of the data becomes a responsibility for which EPX is well prepared, since, as a processor, we have always had to take special care with data and are subject to the PCI SCC’s most rigorous compliance requirements (Level 1).
Is it so, that “people want their…security now No doubt about it. But, I say “why not?” Merchants deserve pragmatic solutions that can achieve even a higher standard of security without costly and cumbersome techniques that may or may not ultimately prove effective enough.
Rothke says there is genius in the PCI’s process of ever-evolving standards. I think their real genius of the Council is its professed technologic agnosticism which, generally, is supposed to allow merchants to achieve card data security with whatever technology and processes work best for them. In that spirit, merchants have more to choose from than Rothke seemed to acknowledge.
—————————–
Charles Crawford is EVP of Strategic Development for EPX
[1] http://www.cio.com/article/495093/PCI_Debate_Ignores_Planned_Improvement_Cycle?taxonomyId=3000; June 2009
Farewell to David Taylor, A Strong Voice in the Payment Card Industry
Friday, October 30th, 2009We sadly learned yesterday of the sudden and premature death of David Taylor, PhD, founder of the PCI Knowledge Base. He was a good friend to EPX and the entire data security community.
Dave was a Gartner Group senior analyst for 14 years earlier in his career. He was an encyclopedia of all things data security, particularly relating to Payment Card Industry Data Security Standards. He was one of the best known and most respected subject matter experts on cardholder data security and, lately, a specialist on emerging technologies, such as credit card data tokenization and end-to-end encryption. A prolific writer and speaker, Dave was a self-proclaimed “academic researcher at heart.” Data was the bedrock of his fact-built world of intellect. His expressions in public and in writings seemed always to start with the words “…according to our research…” Yet, his intellect was such that he always took his audience well above the minutiae and spoke clairvoyantly to the trends and meanings of complicated and conflicting information. He was strongly opinionated, yet steadfastly unbiased in his analyses.
Dave’s pioneering resource site, www.pciknowledgebase.com, is his legacy to those who are concerned about consumer data security — whether vendors, professional PCI Qualified Security Analysts, CIOs, CSOs or academics. The site has become a substantive gathering-point for detailed knowledge of PCI — with its prestigious “Panel of Experts” and meaty research reports involving hundreds of interviews personally conducted over months and years. PCIKB is a contrast to the many “PCI-lite” opportunistic data security information sites and publications found on the web.
Those who had the good fortune of getting to know Dave a bit on a personal level discovered an outgoing person of boundless energy and good humor, one with an understated wit, a few engaging quirks here and there, and a nice thing to say about almost everyone he knew.
We at EPX extend our sympathies to his family for their loss.
Tags: credit card processing, dave taylor, Dr. David Taylor, Electronic Payment Exchange, end-to-end encryption, EPX, payment processing, PCI compliance, PCI Knowledge Base, PCI Knowledgebase
Posted in EPX Commentary, Payments Industry News | No Comments »