Complying with Industry Regulations
2. Complying with industry regulations
Compliance with the PCI DSS may be perceived by the industry as another regulatory burden that they could do without, particularly when it comes to implementing the more challenging requirements (such as protecting stored cardholder data). However, as fraudsters become increasingly sophisticated and data breaches among retailers continue to make the headlines, PCI DSS-compliance should be viewed as an opportunity to review security processes.
Organizations that work with the card schemes are obliged to undergo annual verification of their compliance with PCI DSS each year by qualified assessors. PCI DSS requires organizations to address the two most vulnerable areas: encrypt transmission of cardholder data across open, public networks and during storage. The improved security resulting from this approach is a considerable benefit, not only in terms of demonstrating compliance with the PCI DSS but also in mitigating risk for an organization-and avoiding fines and penalties associated with non-compliance.
3. Implementing industry best practices
Specific reference to the use of encryption is increasingly found in privacy mandates and industry best practices that attempt to go beyond the traditional focus on "people and processes." Furthermore, encryption is often favored by regulators and policymakers because of the black and white nature of the technology. Data is either encrypted or it is not, which in theory means it is either secure or not-a very measurable parameter which is well received by auditors and regulators.
For example, Visa recently issued its global industry best practices for data field encryption, also known as end-to-end encryption. Also included in Visa's best practices is guidance to use robust key management solutions and encryption consistent with international and regional standards. This includes the management of encryption/decryption keys within secure cryptographic devices such as PIN Entry Devices (PEDs) or HSMs.