Monday, September 21, 2009

Credit Card Privacy, End-to-end encryption: The PCI security holy grail

Click Here for TechWorld Article on PCI

 MC Logo logo_visaIf you are in the E-Commerce business, PCI Compliance is critical to your business.  The same holds true for ANY business that touches any credit card number either via email (not very smart), unsecured chat (very much not smart), mail order phone calls, paper orders at call centers, etc.  Payment Card Industry - (DSS) Data Security Standards apply to a large swath of businesses that are either Merchants or Credit Card Processors / aggregators(not just Banks).  PCI Compliance is about protecting the Privacy of the individual card holder data.  PCI Standards Organization

It would be a little short sighted to say that one could absolutely guarantee secure PCI data on the web, for example, considering the constant advances in technology.  By the way, the web is not the only place to audit, monitor and govern.  Consider internal Legacy systems and networks where companies internally move PCI data both electronically and by manual workflow (paper-based – another future Blog topic).  That is not to say that bona fide companies aren’t spending huge amounts of time, effort and dollars to remain PCI Compliant. 

The fact remains that it is a constant struggle to maintain compliance.  As the author of the above linked TechWorld article illustrates, even the best intended efforts and compliance implementations have no guarantees, per se.  However, an added level of protection, by using encryption, would render any exploited data (however “unlikely”), UN-Usable by the thief once the data was finally out in the open.

Encryption is big space.  It requires careful planning and specific Policy and Process implementation even before any specific technology can or should be selected, or even implemented (PPT – Process => People => Technology).  It is a strategic decision for a company.  It has long term implications, but also many upsides.  It can be the saving “insurance policy” in the “unlikely” (read the news papers pal, I meant Internet News Feeds) event of a data breach.

Without sufficient due diligence, dogged adherence to PCI Compliance, regular Self Assessments and external Audits, you could wind up in a bad place, namely:

Insula gilliganis

(Gilligan's Island)


Technorati Tags: ,,,,

No comments: