First Data

My last two posts focused on PCI compliance and some tips to help merchants reduce fraud and data security threats and incidents. I would like to shift my thoughts to the industry, and what encryption and tokenization will mean for security standards.

What makes sensitive cardholder data vulnerable? During a transaction, card data must flow through a payments processing chain in order to be processed. This processing chain, which includes consumers, merchants, acquirers/processors, card brands and issuing banks, links many technologies including communication lines, databases and sophisticated applications. Data thieves have become quite sophisticated in their knowledge of how these technologies work, enabling them to exploit points of vulnerability in the payments processing chain.

The payment card industry (PCI) is fighting back. One starting point, which I have talked about previously, is the PCI Data Security Standard (PCI DSS), which provides guidelines to merchants about how to secure cardholder data. While PCI DSS has helped, it isn’t enough; hundreds of millions of data records have still been breached in recent years.

This stat represents the need for new thinking in how to combat fraud. Therefore, the payments processors, including First Data, recently created encryption and tokenization security offerings that meaningfully address payment card security in advance of the PCI Council’s guidance. What does this mean for security standard bodies like PCI? It means they now have to supplement their standards to create guidance for merchants implementing these solutions – as well as all the other players involved.

We'll talk more about what these standards could look like in future posts. To hear more about the state of the industry, visit RSA’s blog, Speaking of Security .