Keeping Cardholder Data Safe: What You Need to Know

As cards overtake cash as the most popular way to pay, many companies today have no choice other than to handle or hold credit card data. Once they take this step, and as the volume of financial data increases, the risk of that data being compromised cannot be overlooked. Fraud, hacking, insider theft, or just plain old human error, are just some of the threats to a business’ bottom line and reputation when handing credit cards. Now, in an era of data breach disclosure laws, the fate of those companies who have failed to protect cardholder data is plain for all to see.

To help the industry address the issue of cardholder data breaches, card brands joined forces and introduced the Payment Card Industry Data Security Standard (PCI DSS) in 2006. Instead of introducing new technology standards, the PCI DSS brought a consistent set of baseline security requirements to the business of accepting and processing credit cards.

PCI DSS Means Business

Since its introduction, there has been a great deal of attention paid to PCI DSS. With requirements that focus on 12 different security issues, every business involved in accepting and processing card payments is responsible for safeguarding cardholder data. In the end, not living up to this requirement can mean fines and higher transaction fees, and worst of all, a public data breach affecting their customers.

Much of the responsibility for the successful rollout of PCI DSS is in the hands of certified auditors, the qualified security assessors (QSAs). To develop an accurate picture of PCI compliance today, the Ponemon Institute and Thales conducted research to identify trends, recommendations and preferences of QSAs involved in PCI DSS compliance assessments.

State of Compliance

The research found that few businesses are failing their annual PCI DSS audits outright. However, 41% of business would fail if they were not relying on ‘compensating controls’. While these alternative routes to compliance must meet the same level of risk reduction as the PCI DSS intended, often they are just workarounds or temporary fixes that may not pass muster at the next annual assessment, or will be excluded by future changes to PCI DSS.

When it comes to compliance, QSAs find that the most difficult requirement for organisations to meet is restricting access to cardholder data on the basis of a business need-to-know (PCI DSS Requirement 7). While a business can have the most advanced systems to try and lock out external criminals, if it cannot limit access to cardholder data on the inside to only those who have a need to access it, then how can a system ever be considered secure?

How to Comply?

One of the greatest challenges facing companies is how to protect cardholder data when that data is not under their direct control. The day-to-day reality of protecting information means that companies face situations where data is flowing over public networks between data centres or is stored offsite on back-up tapes. Often cardholder data is carried around on laptops or is present on systems sent off for repair. To address this challenge, PCI DSS requires cardholder data to be rendered unreadable while it is transmitted on a network or stored and it identifies four approaches for achieving this, including the use of encryption.

For QSAs, 60% believe encryption is the best means to protect card data. Encryption essentially scrambles data and makes it unreadable except by those systems that have been authorised to access it by providing them with the right decryption keys. Unlike firewalls and anti-virus software, which are also mandated by PCI DSS, and many other security technologies that focus on protecting computers or networks, encryption actually protects the data itself. This protection moves with the data, like a bodyguard, whether it is stored in a database or being transferred between applications for processing.

PCI DSS is Evolving

As with all regulation and best practices, PCI DSS is evolving and compliance is an ongoing process rather than a ‘tick-box’ exercise. In fact, a new set of standards is expected to be released in October 2010 by the PCI Security Standards Council.

The QSA survey asked what the industry expects to see in the new update to the standard. While encryption remains one of the best techniques merchants can use to keep stored information safe and comply with PCI requirements, respondents voiced concerns that the current version of the standard is ambiguous in a number of ways. First, it is unclear how exactly the keys used for encryption should be managed and protected. And second, it is not immediately apparent how the use of encryption can help reduce the scope of PCI DSS audits when it is used beyond just protecting stored data. This is sometimes referred to as the concept of ‘end-to-end’ encryption, where data is protected right from the moment it is captured, at the point-of-sale (POS) system or e-commerce website, up until it is sent to the cardholder’s bank for approval and processing. Clarification on these areas is expected in the new PCI update.

In addition to clarification about encryption and key management, the Ponemon Institute and Thales research shows that QSAs expect tokenisation to be ratified as an approved technology in the next PCI DSS update. With similar goals to encryption in mind, this emerging technology that, according to the survey, is preferred by 35% of QSAs, is also a method for protecting cardholder data end-to-end. Tokenisation is much like taking your coat and bags with you to the theatre and checking them in at the cloakroom. With tokenisation, sensitive credit card data is ‘checked in’ to a secure, dedicated database and a ticket or token is issued that can be used later by authorised applications to retrieve the real credit card information if necessary. However, even with tokenisation, encryption is still used to protect the original card data in the database.

There is evidence that the PCI Security Council is actively considering these newer techniques, since it commissioned a PricewaterhouseCoopers (PwC) study to examine whether four emerging technologies (tokenisation, end-to-end encryption, virtual terminals and card management solutions) showed potential to enhance data security and reduce compliance costs.


Although I’ve focused on the technology issues here, it is virtually always the case that technology alone doesn’t strengthen security posture and stop criminals; technology is merely a tool. In order to ensure that card data is adequately secured, it is essential that this tool is deployed correctly. PCI DSS compliance isn’t easy, and it’s easy to fall into the trap of ‘checking the box’ syndrome: compliance for compliance’s sake. The PCI DSS requirements are a great step towards protecting cardholder information in a unified fashion, but as new threats emerge and attacks become more sophisticated, it is important that PCI DSS and the technologies used to safeguard data evolve as well. Ultimately, compliance is a by-product of good security, so it is those companies that focus on protecting cardholder data, rather than ticking boxes, that will be closest to achieving compliance in a cost-effective way and, more importantly, in keeping their name out of the headlines.

The Thales and Ponemon Institute report on QSA Trends 2010 can be viewed here.


Related reading