The goal of the study, conducted by PricewaterhouseCoopers (PwC) and presented this week at the PCI Security Standards Council's Community Meeting in Las Vegas, was to identify a number of technologies that retailers may be able to leverage to reduce their scope in complying with the Payment Card Industry Data Security Standard (PCI DSS).
The council ordered the study in response to concerns from its members over a number of high-profile data breaches in recent months, including Heartland Payment Systems, which potentially exposed hundreds of millions of credit card numbers.
Based on interviews with 160 security professionals across 10 countries, PwC evaluated 12 technologies and took a deeper look at four: End-to-end encryption, tokenization, magnetic stripe imaging and virtual terminals.
None of those technologies are referenced in the current PCI DSS.
Presenters Mark Lobel, a principal at PwC, and Andrew Luca, director of the firm's Financial Service practice, repeatedly stressed that the study merely analyzed some of the possible technologies in the market – and that neither they nor the council are prepared to make endorsements or recommendations.
Based on their findings, PwC determined that end-to-end encryption, which encrypts data from point-of-sale at the merchant across the processor's network, may have the most success at reducing PCI compliance scope for merchants.
“It may have the ability to completely remove payment data from the merchant's hands,” Lobel said.
Tokenization, which replaces card numbers with a token or unique reference number, also has similar possibilities, and can help shift some of the risk and burden of PCI compliance from the merchant to the service provider (the credit card processor), the presenters said. Virtual firewalls, an outsourced service that enables merchants to accept cards without having dedicated hardware, can provide that latter benefit as well.
The report determined that magnetic stripe imaging, which collects the data on the magnetic stripe to prevent fraudulent cards from being used, cannot serve as a standalone technology to help meet any of the PCI requirements. Instead, it should be viewed as an anti-fraud tool that must be combined with another technology to help reduce scope.
Lobel cautioned that these technologies may not be right for everyone.
“The devil is in the details,” he said in an interview afterward. “It is very possible to do a poor implementation of end-to-end encryption and not get the benefit you want from it.”Merchants must take into account a number of variables before implementing, such as whether their environment contains too much legacy software, and that it is capable of handling a new technology, Luca said. Factors such as risk and return-on-investment must be considered.
“Technology is only a piece of the solution,” Troy Leach, chief technology officer for the PCI Council, said in an interview after the presentation. “There are people, processes and technology involved in any type of deployment.”
Lobel said merchants should not think that the four technologies PwC studied are the only options. The firm ultimately disregarded certain initiatives, such as chip and PIN, because it is well understood and widely deployed in regions outside of the United States. Still, merchants should not discount the potential benefits of these other technologies, he said.
Bob Russo, general manager of the PCI Council, said the body now will evaluate PwC's findings. It is possible the technologies may find their way into the next iteration of the PCI standard, due out next year. Or, the council may decide to release a guidance document prior to that.
“There's always value with more layers of security,” he said. “You get secure, and compliance comes along as a byproduct.”
This week's Community Meeting brought together some 700 of the PCI Council's participating organizations as part of the standard's feedback period.