Why PCI Compliance Isn’t Enough?

Security concept Lock on digital screen, illustrationWe get it, PCI Compliance is a recurring topic that feels like a thorn in everyone’s side. It comes up again and again during conversations and integrations and is an important discussion to have. There are many PCI compliance standards that you may have heard of including PCI DSS, PCI PTS and so on. These standards were designed to keep payment solutions in check and make sure the sensitive card data remains safe. The PCI DSS, for example, refers to the Data Security Standard released by the PCI Council that are put in place to ensure that all businesses that accept, process, store and/ or transmit cardholder data (i.e., credit card information), do it in the safest way possible. By following these regulations, merchants can better protect their payment infrastructures from data breaches.

PCI Compliance is Not Enough Anymore

In 2018, cyber attacks increased by 32 percent in the first few months of the year compared to the same period in 2017.  Threats from criminals are constantly evolving and becoming more sophisticated. Being only PCI Compliant is not enough, and businesses need to take additional security measures to protect sensitive cardholder data and their payment technology investment. Here are a few ways businesses can protect their payment infrastructure:

1. Semi-Integrated Payment Approach

A semi-integrated approach reduces the communication between the terminal and the electronic cash register (ECR) to non-sensitive commands. Sensitive card data is isolated, encrypted and directly sent from the terminal to the intended processing hosts or gateway. This way, the payment card data never touches the point of sale (POS) system keeping it safe from any vulnerabilities. The semi-integrated approach also keeps the POS system out of the PCI audit scope saving businesses time and money.

2. Point-to-Point Encryption (P2PE)

Payment data can be stolen in many ways and a common way these thefts happen is when the data is in transit. A P2PE solution helps protect the card data while it is on the move during the payment process. It is an industry-proven solution that helps protect sensitive card data from cybercriminals.

3. Tokenization

To complement P2PE, tokenization helps protect the card data at rest. It replaces the sensitive information with a secure encrypted token protecting it from cybercriminals.  After many data breaches over the years, current PCI standards do not allow businesses to save and store credit card details unless they are tokenized on their POS system or databases after a transaction. If the open data is stored and is stolen, it can be used to create counterfeit cards. When this data is tokenized, it becomes useless to any cybercriminal as it can only be decoded by the payment processor. Storing tokenized data helps retailers associate these tokens to specific customers and can further enable them to study spending patterns without compromising the security of sensitive credit card information.

4. Mobile Device Management (MDM)

In a lot of instances, many businesses may use consumer-grade mobile devices to work with their POS systems. This is where MDM can come in handy. MDM is a type of security software that allows businesses to remotely deploy and securely manage their mobile POS solutions. This software solution also helps businesses protect their mobile POS solutions from security threats.

5. Employee Education 

Sometimes the biggest breaches can be caused by simple negligence on the part of the ignorant staff. A staff member picking up a random flash drive and plugging it into their computer is a simple example that can be catastrophic for the business. Employees also need to be aware of the possibility of device tampering which allows criminals access to sensitive information. Businesses need to routinely inspect their public-facing devices for signs of tampering to avoid data thefts or breaches. Effective training of employees regarding basic security protocols can help curb such mistakes and better protect your business.

Security threats will keep evolving and so will the solutions built to fight them. It is important for businesses to be aware of these changes and developments to stay one step ahead of cybercriminals. There is an industry-wide push for increased security solutions for all businesses like yours to better protect themselves from these dire situations. Learn more about a multi-layered security approach to payments. Drop us a line and let’s talk about protecting your payment technology investment.


Irfan Nasir is the Head of Solutions Development & Deployment at Ingenico Group, North America

Share your comments