It seems like everyone (including this author) today has an opinion on the value of the PCI DSS and the card brand programs.In March, 2009 Congress held hearings on the standard and there are many companies that make a living from the program.No matter people’s view of the PCI DSS, my own experience has led me to believe that something is needed to secure the data in our industry. There are basically two approaches to solving the problem of increasing data compromises. First, is traditional compliance/risk management.This assumes that a businessman with data and the need to protect such data. This is traditional PCI compliance and risk management. The second approach is the one of which I am a proponent.I will call these ‘alternative’ compliance solutions generically. With these solutions, the value of the data is reduced or removed. While much has been written recently about end to end encryption, this is really only one approach that I would classify as one of the alternative solutions.
Some companies have made huge strides in the industry to remove the value of data.Replaced with some abstract description of these data.Although a number of companies have created similar solutions, companies like Shift4, and MerchantLink defined these types of solutions. These types of solutions have worked well in the complex retail environments. MagTek and Semtek created encrypted magnetic stripe readers that allow data to be rendered unreadable from the point of swipe. When used with virtual terminals and other technologies, these solutions provide huge benefits for smaller, level 4 merchants. Companies like TrustCommerce, and ProPay have successfully deployed these solutions to remove data from their merchants’ environments.
We will continue to see solutions such as these enter the market as we continue to move through 2009.It is difficult to apply these solutions for industrial. For those who have been active in the PCI world as either QSAs, ASVs, or other capacities, it is understood that traditional compliance simply does not work well in level 4 merchant environments. If you have not had a chance to take a look at the alternative solutions, I would encourage you to do so. Some of the solutions will not only remove data, thus reducing your risk, they will also provide some reprieve from compliance with some of the PCI DSS requirements.
About sam