Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Database
    • Networking
    • Storage

    How to Reduce Security Risks Associated with Storing Credit Card Data

    Written by

    Mark Johnson
    Published March 8, 2010
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Companies that follow best practices in data security have a risk assessment program. As outlined by the United States General Accounting Office (GAO), risk assessments “provide a basis for establishing appropriate policies and selecting cost-effective techniques to implement these policies. Since risks and threats change over time, it is important that organizations periodically reassess risks and reconsider the appropriateness and effectiveness of the policies and controls they have selected.” When a company decides to store specific data, they inherently accept the risk by doing so-whether the company wants to or not.

      If the data that a company stores happens to be credit card data (or more general, payment card data including the account number), then there are regulations, guidelines and even significant risks associated with this type of data. Companies that store such data, or have a third party storing it on their behalf, fall under the scope of the Payment Card Industry Data Security Standard (PCI DSS). This standard specifically states that “the Primary Account Number (PAN) is the defining factor in the applicability of PCI DSS requirements. If a PAN is not stored, processed, or transmitted, the PCI DSS does not apply.”

      Reasons for data storage risks

      So why are there significant risks involved with storing this data? It is because of the resulting ease and inappropriate use of such data if it were to be exposed or breached. According to Visa, hackers are looking for software that stores sensitive cardholder data as well as personal information to perpetrate identity theft. Hackers are also looking to track data and payment account numbers. By having the data in its possession, a company increases the possibility of and exposure to malicious activity against the company’s data repositories.

      Moreover, it also doesn’t matter the size of a company storing this possibly exposed data to the risks of hacker activities. Although data breaches resulted in the largest number of compromised accounts, small Level 4 merchants (those processing less than 20,000 e-commerce transactions annually) account for more than 85 percent of all compromised events. There is no immunity to any company in the hacker community. It’s the data that is the main target of malicious activity.

      Company Reputation and Financial Stability Risks

      Company reputation and financial stability risks

      The risks associated with storing card data go beyond the regulatory or compliance realm. Considerations also include company reputation and financial stability. Some companies would not be able to survive a data breach.

      Other companies, because of their financial strength, could just “write a check” for the damages and rely on marketing or public forgiveness for an unfortunate event. But a data breach isn’t something a company wants to experience to find out the goodwill it may have in the eyes of consumers.

      Another risk associated with credit card data storage is the investment, proper use and required administration of the technical infrastructure that is protecting the data. Technology changes at a very rapid pace and maintaining up-to-date technology is not a trivial investment a company must make. In a company’s risk assessment program, a cost-benefit analysis (CBA) must be conducted to determine the value of the investment required to comply with standards and to properly protect the stored data.

      Here is one analogy worth considering. If a homeowner who lives in a high-crime area is known to possess some valuable jewelry, why would they want to install iron bars over their windows and put strong locks on their doors to prevent or reduce the possible exposure to a break-in? That homeowner would possibly be investing more money in securing the house than perhaps is the value of the goods being protected. So, the homeowner might strongly consider using a bank safe-deposit box instead. Or they may even purchase additional insurance coverage to cover the cost of a possible loss. But the insurance coverage would also have to cover the cost of the resulting damage that the house would suffer.

      Reducing Risks and Costs of Sensitive Data Storage

      Reducing risks and costs of sensitive data storage

      So how do companies reduce the risks and costs associated with sensitive data? There is no silver bullet answer to this equation. However, there are some very viable solutions that can be considered. An article published last year referenced the results of a PricewaterhouseCoopers (PwC) study presented to the participants of a recent PCI Security Standards Council community meeting.

      According to the article, the purpose of the study was “to identify a number of technologies that retailers may be able to leverage to reduce their scope in complying” with the PCI DSS. It continued by saying that PwC evaluated 12 technologies and took a deeper look at four: end-to-end encryption, tokenization, magnetic stripe imaging, and virtual terminals.

      Based on their findings, it was determined that end-to-end encryption, which encrypts data from point-of-sale at the merchant across the processor’s network, may have the most success at reducing PCI compliance scope for merchants. It was further explained, “Tokenization, which replaces card numbers with a token or unique reference number, also has similar possibilities, and can help shift some of the risk and burden of PCI compliance.”

      Those two technologies identified above-end-to-end encryption and tokenization-currently provide the best solution for companies. When considering whether to implement either technology, a company must always keep in mind that securing the data may not be their core competency. It will consume precious resources of time, money and personnel. Therefore, a company must evaluate if they will build their own solution or turn to a trusted third party to provide those solutions.

      Mark Johnson is CIO of ProPay. Mark has over 24 years in the IT industry. Prior to joining ProPay in early 2008, Mark was senior vice president of IT and security officer for one of the nation’s Top 25 issuing and acquiring banks. Mark’s experience includes software development of financial systems for a multibillion dollar organization, director of computer science for a Salt Lake City-based junior college, and director of technology operations for FranklinCovey. Mark has also served in the United States Air Force as a statistician where he earned the Air Force Commendation Medal. Mark holds a Bachelor’s degree in Computer Science from Idaho State University and a Master’s degree in Business Administration from the University of Phoenix. Mark is also a Certified Payment-Card Industry Security Manager (CPISM). He can be reached at mark.johnson@propay.com.

      Mark Johnson
      Mark Johnson
      Mark Johnson is CIO of ProPay. Mark has over 24 years in the IT industry. Prior to joining ProPay in early 2008, Mark was senior vice president of IT and security officer for one of the nation's Top 25 issuing and acquiring banks. Mark's experience includes software development of financial systems for a multibillion dollar organization, director of computer science for a Salt Lake City-based junior college, and director of technology operations for FranklinCovey. Mark holds a Bachelor's degree in Computer Science from Idaho State University and a Master's degree in Business Administration from the University of Phoenix. Mark is also a Certified Payment-Card Industry Security Manager (CPISM).

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×