Staying at the Venetian/Palazzo in Las Vegas last week for EMC World, I was struck by the amount of personal information they must be managing for the guests in their 7,000 suites. Even with repeat guests, they could well average 10 individuals per week per suite, well into the millions of guests per year. And [...]
A new version of the Payment Card Industry Data Security Standard, or PCI DSS was recently announced. This week’s Speaking of Security podcast discusses new guidance on how to protect customer account data.
PCI DSS compliance may be a bad indicator for the way merchants handle card data for a simple reason: it is a holistic standard which refers to many aspects of security – from the storage of sensitive data to securing wireless networks and applications. While those who are truly PCI DSS compliant can dramatically decrease the risk of suffering a breach, it is not uncommon for some merchants, once they receive their badge of approval, to fail to maintain that compliance.
The release of PCI DSS V2 is a welcome update, even though most of the changes from PCI DSS V1.2 are relatively minor. But there are a number of areas that PCI DSS has not addressed and that are critical to the security of credit card information. Some of these, such as the impact of virtualization and cloud, are already recognized as concerns. But at least one area has, at least as far as I know, not yet been put on the table for discussion. This area concerns best practices for protecting against increasingly sophisticated social engineering attacks. These attacks may attempt to steal credit card information directly. Or they may seek to install malware that can steal the information, such as through man-in-the-browser attacks.
Tokens are safer for merchants because tokens lack the very thing that make credit card numbers so appealing to thieves – portability.
Even before the recent PCI Community meeting, one of the most frequent questions I’ve been asked is about how tokenization reduces PCI scope. Actually, it is usually a merchant asking specifically about how tokenization helps them reduce PCI scope. I will share three ways that using tokens helps a merchant deal with the costs of PCI.