Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

Payment Card Industry Data Security Standards are expected to evolve based on continued data breaches, according to new research study

Card security generic imagePayment Card Industry Data Security Standards are expected to evolve based on continued data breaches, according to new research study

 

Information systems and communications security provider, Thales has announced the results of a research study by The Ponemon Institute about the upcoming version of the Payment Card Industry Data Security Standards (PCI DSS).

 

The new set of standards is expected to be released in October 2010 by the PCI Security Standards Council.

 

Based on surveys with 155 Qualified Security Assessors (QSAs), the reported identified a number of trends and key findings, including that encryption is one of the most effective means for achieving compliance. But questions arose around how to treat encrypted data in audits. The report said it is believed that clarifications will be issued on the use of encryption and key management.

 

New technology to strengthen security

 

In 2009, The PCI Security Council commissioned a PricewaterhouseCoopers study to examine whether four emerging technologies showed potential to enhance data security and reduce compliance costs: tokenisation, end-to-end encryption, virtual terminals and card management solutions.

 

“41% of QSAs believe tokenisation is the most likely of these technologies to be addressed in the PCI update, while 28% said end-to-end encryption is the most likely, 13% said virtual terminals and 9% said magnetic stripe imaging,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. “Only 11% of QSAs believe that none of the technologies considered will be included in the PCI DSS updates.”

 

“Our research continues to validate that 60% of QSAs believe encryption to be the most effective means to protect card data end-to-end, and 41% of QSAs said that controlling access to encryption keys is the most difficult key management task faced by clients using encryption. It remains clear that QSAs consider encryption to be one the best techniques merchants can use to keep information safe and comply with PCI requirements. The current version of the standard, however, is ambiguous about how exactly encrypted data should be treated in audits, so QSAs seem to be confident that the October 2010 update to PCI DSS will provide clarity,” continued Ponemon.

 

Cost of compliance quantified

 

The study also found that Tier 1 merchants were paying $122,000 (£80,041) more on average than Tier 2 merchants to do the same QSA assessments. As uncovered in the previously issued QSA Insights Report, the average cost of an annual QSA audit – the fees paid to QSAs for assessment services – for Tier 1 merchants is about $225,000 (£147,617). The complete research results reveal that an annual assessment for Tier 2 merchants averages $103,000 (£67,576) and for Tier 1 service providers, such as large payment processors, the average cost of an annual on-site QSA assessment is $204,000 (£133,840).

 

The Ponemon Institute, an information-management think tank, designed the survey to focus on identifying trends, recommendations and preferences of QSAs involved in PCI DSS compliance. Specifically, the survey questions focused on the background, experience, client observations, expected changes in PCI DSS, preferences on how to achieve compliance and typical client recommendations. The results are available in the free-to-download study, sponsored by Thales entitled: PCI DSS Tends 2010: QSA Business Report.

 

“Complying with PCI DSS requirements is a great first step toward protecting cardholder information, but as new threats emerge and attacks become more sophisticated, it is important that PCI DSS and the technologies used to safeguard data evolve as well,” said Franck Greverie, vice president for the information technology security activities of Thales. “By offering merchants insight into the new requirements likely to be included in the PCI DSS update and the current solutions in the marketplace to address these risks, this survey enables organisations to deploy the necessary technologies before the update is issued to give them a head start to enhance compliance efforts and, most importantly, better protect sensitive cardholder data.”