With the number of records breached increasing 37.4% in the first nine months of 2011* over 2010, it has become increasingly important for retailers to implement a security program to protect their cardholders’ data in the event of a breach.
Hackers are becoming increasingly savvy and malicious in their pursuit of cardholder information, particularly primary account numbers (PAN). Ensuring that this data is unavailable is critical to protecting brand image, especially as breach incidents quickly become front page news.
The smartest and simplest solution to make data unavailable to hackers is to remove it from the environment entirely. Many companies today still house payment data in databases within their own networks to facilitate payments, reconcile accounts, and perform customer service activities. However, the risky exposure to data theft is extremely high.M
With solutions available today, those same retailers can entrust the storage of that highly sensitive data to a secure third party service provider that houses the data in their own PCI-certified compliant data vaults, significantly reducing security risk to the retailer.
If the solution is so simple, why aren’t more retailers moving to this platform? The answer; Most retailers falsely believe that giving up access to that data hinders them from performing market analysis or customer service activities.
Both these concerns can be alleviated as service providers are considered partners in keeping data safe. Service providers will not restrict a retailers’ access to data, and allow for retrieval if needed. (Note: Reintroducing payment data into a retailer’s environment will bring related systems back into PCI DSS scope).
A reputable payment security service provider will also offer services allowing a retailer to continue performing reconciliation and back office activities just as they did before. These services generally include generation of format-preserving tokens, which are strings of data that replace PAN data in the retailer’s systems (ERP, data warehouse) but retain four digits of the account number enabling customer identification. [For more information on payment security solutions, download the Enterprise Payment Security 2.0 white paper.]
These solutions not only help lessen risk of liability to a retailers brand in the event of a breach, but also decreases overall costs associated with managing an internal security program. Leveraging a payment security service provider negates the need for high management overhead, as it is primarily outsourced and shaves costs associated with PCI DSS compliance, as tokenization solutions reduce overall scope of the audit. [For more information on how tokenization can reduce PCI DSS scope, see the PCI Security Council’s "PCI DSS Tokenization Guidelines" information supplement.]
*Identity Theft Resource Center