New Systems Could Lessen PCI Security Burden

New Systems Could Lessen PCI Security Burden

It doesn't take too long before there's news of yet another massive data security breach. Last month, Network Solutions, an ecommerce company that helps small online retailers process credit card payments, reported a breach that impacted 4,343 online retail sites and card payment data from about 574,000 customers.

While Network Solutions is not a significant player in the food retailing industry, there was one element in this story that supermarket companies could appreciate: At the time of its breach, Network Solutions was compliant with the PCI (Payment Card Industry) Data Security Standard, the supposed gold standard of data security.

Card-accepting retailers as well as payment processors are expected to comply with the PCI standard, at considerable expense, or face hefty fines. Yet as Hannaford Bros., payment processor Heartland Payment Systems and now Network Solutions have discovered, PCI compliance currently offers no guarantee of ironclad security from cyber thieves.

The PCI standard may be flawed, but at least it is subject to change every two years. In fact, through Oct. 31 retailers that are participating organizations in the PCI Security Standards Council — such as Kroger, Safeway, Wal-Mart Stores, Publix and Hannaford — can submit formal feedback on desired changes to the current standard, version 1.2.

The trouble with the PCI standard is that even if it did contain all the ingredients of foolproof data security, it still represents a major financial and IT headache for retailers. The larger question is: How much responsibility should retailers have to bear when it comes to credit and debit card transactions?

For example, retailers are required to produce card receipt information when purchases are disputed. But that can mean holding onto transaction data and making sure it's secure, which increases the PCI burden. As Dave Hogan, chief information officer of the National Retail Federation, has argued, purchase disputes should be resolved by the banks and the card brands, without requiring retailers to be responsible for sensitive data.

But there is a new twist to this issue that could change the way the game is played. That is the growing interest in new technologies and processes, notably end-to-end encryption and tokenization.

What is particularly intriguing is the plan now being pursued by payment processor Heartland Payment Systems, which is to offer end-to-end encryption that would not only keep card data secure throughout transaction processing, but also take data storage out of retailers' hands. If Heartland succeeds with this program, and other card processors follow suit, retailers may find themselves in a better position regarding both data security and PCI compliance.

For their part in the processing of card transactions — largely the swiping of cards at the checkout and the transmission of card data for authorization and settlement — retailers should of course provide scrupulous security. Beyond that, the responsibility should lie with processors, banks and the card brands.

Respond to SN's Viewpoints online at