RSS Alerts

Share

More services

Related Stories

  • Companies should go beyond PCI DSS compliance, says Layer 7
    Companies need to go beyond compliance with Payment Card Industry Data Security Standards (PCI DSS) to ensure credit card safety, according to Phil Walston, vice president of development and product management at Layer 7 Technologies.
  • PCI DSS broadens appeal beyond credit card data security
    The PCI Data Security Standard (DSS), originally developed to protect credit card data, can be used to vet cloud providers for data security practices, as well as provide a template for compliance with information security laws, noted Sean Bruton, senior director of client services and security with managed hosting services provider NeoSpire.
  • Two-thirds of PCI DSS compliant firms had no credit card breaches
    A full 64% of organizations that are compliant with Payment Card Industry’s Data Security Standards (PCI DSS) had no breaches involving credit card data over the past two years, according to a new study by the Ponemon Institute and database security firm Imperva.
  • Nearly two-thirds of merchants store unencrypted card data
    A full 63% of merchant computer systems store unencrypted payment card data, a violation of the Payment Card Industry Data Security Standard (PCI DSS), according to scans of more than 475 systems by SecurityMetrics.
  • PCI Council to offer awareness training
    The PCI Council will conduct a series of awareness training courses for stakeholders looking to educate their employees on the finer points of the Payment Card Industry’s Data Security Standard (PCI DSS).

Top 5 Stories

News

E-commerce merchants tighten credit card data security to protect brand

25 July 2011

Nearly 70% of e-commerce merchants said they have tightened credit card data security in order to protect their brand, not to avoid fines for non-compliance with the Payment Card Industry Data Security Standard (PCI DSS), according to a survey by Visa’s CyberSource unit and Trustwave.

Only 26% of respondents said that they have increased credit card security in order to avoid penalties for PCI DSS non-compliance, according to the online survey of e-commerce merchants.

In addition, a majority of respondents said they felt the threat of payment data theft from inside employees was about equal to the threat from external hackers.

“People are seeing the threats from internal and external forces as the same”, said Rosa Luis, solution management for payment security at CyberSource. “That makes a lot of sense, because the data is readily available and easy to access for internal employees. So if you have credit card information on your network, employees have much more visibility into that than the external hacker”, Luis told Infosecurity.

In addition, the survey found that over the next two years more merchants expect to move credit card data from their networks to third-party vendors as a way of reducing security risks and data storage and compliance costs.

“Companies are moving toward implementing remote strategies for payment security. Rather than keeping data internally in their systems or capturing and transmitting data internally, they are moving to having a PCI DSS-certified third party service provider do that for them”, Luis said.

Merchants that outsource their credit card data processing and storage spend less on infrastructure, the survey found. Three-quarters of PCI DSS Level 1 merchants that have removed payment data from their networks spend less than $500,000 on their payment security infrastructure; only 60% of those that keep data in-house can make that claim.

Merchants that do not capture, transmit, or store data inside their own network tend to employ fewer personnel, validate PCI DSS compliance more quickly, and operate at a lower overall cost of payment security management, the survey found.

“Companies that are using a remote strategy, and not doing things internally, are actually having much more success in reaching PCI DSS compliance in a shorter period of time. So 87% of the companies that are using a remote strategy are complying in 20 weeks or less, whereas only 79% of companies that are using an on-site strategy are complying with PCI DSS is the same amount of time”, Luis noted.

Luis explained that tokenization is a strategy that merchants are increasingly using in order to avoid storing credit card information in-house. Tokenization takes a credit card number and turns it into a surrogate value that represents the card number, but with no ability to determine the number from the surrogate value.

“Tokenization takes the credit card number and camouflages it….The payment information is routed directly to the service provider; the service provider performs the authorization…and then provides a token to the merchant. So whenever the merchant needs to perform further transactions for that customer, it uses the token rather than the credit card number. This is a way to get credit card data out of their system”, Luis said.

“If a hacker does get access to the merchant’s database, all he is getting is a token which is not useable. He is not able to sell the information or perform transactions using the token”, she added.

This article is featured in:
Compliance and Policy  • Data Loss  • Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012