Companies that follow best practices in data security have a risk assessment program. As outlined by the United States General Accounting Office (GAO), risk assessments “provide a basis for establishing appropriate policies and selecting cost-effective techniques to implement these policies. Since risks and threats change over time, it is important that organizations periodically reassess risks and reconsider the appropriateness and effectiveness of the policies and controls they have selected.” When a company decides to store specific data, they inherently accept the risk by doing so-whether the company wants to or not.
If the data that a company stores happens to be credit card data (or more general, payment card data including the account number), then there are regulations, guidelines and even significant risks associated with this type of data. Companies that store such data, or have a third party storing it on their behalf, fall under the scope of the Payment Card Industry Data Security Standard (PCI DSS). This standard specifically states that “the Primary Account Number (PAN) is the defining factor in the applicability of PCI DSS requirements. If a PAN is not stored, processed, or transmitted, the PCI DSS does not apply.”
Reasons for data storage risks
So why are there significant risks involved with storing this data? It is because of the resulting ease and inappropriate use of such data if it were to be exposed or breached. According to Visa, hackers are looking for software that stores sensitive cardholder data as well as personal information to perpetrate identity theft. Hackers are also looking to track data and payment account numbers. By having the data in its possession, a company increases the possibility of and exposure to malicious activity against the company’s data repositories.
Moreover, it also doesn’t matter the size of a company storing this possibly exposed data to the risks of hacker activities. Although data breaches resulted in the largest number of compromised accounts, small Level 4 merchants (those processing less than 20,000 e-commerce transactions annually) account for more than 85 percent of all compromised events. There is no immunity to any company in the hacker community. It’s the data that is the main target of malicious activity.
Company Reputation and Financial Stability Risks
Company reputation and financial stability risks
The risks associated with storing card data go beyond the regulatory or compliance realm. Considerations also include company reputation and financial stability. Some companies would not be able to survive a data breach.
Other companies, because of their financial strength, could just “write a check” for the damages and rely on marketing or public forgiveness for an unfortunate event. But a data breach isn’t something a company wants to experience to find out the goodwill it may have in the eyes of consumers.
Another risk associated with credit card data storage is the investment, proper use and required administration of the technical infrastructure that is protecting the data. Technology changes at a very rapid pace and maintaining up-to-date technology is not a trivial investment a company must make. In a company’s risk assessment program, a cost-benefit analysis (CBA) must be conducted to determine the value of the investment required to comply with standards and to properly protect the stored data.
Here is one analogy worth considering. If a homeowner who lives in a high-crime area is known to possess some valuable jewelry, why would they want to install iron bars over their windows and put strong locks on their doors to prevent or reduce the possible exposure to a break-in? That homeowner would possibly be investing more money in securing the house than perhaps is the value of the goods being protected. So, the homeowner might strongly consider using a bank safe-deposit box instead. Or they may even purchase additional insurance coverage to cover the cost of a possible loss. But the insurance coverage would also have to cover the cost of the resulting damage that the house would suffer.
Reducing Risks and Costs of Sensitive Data Storage
Reducing risks and costs of sensitive data storage
So how do companies reduce the risks and costs associated with sensitive data? There is no silver bullet answer to this equation. However, there are some very viable solutions that can be considered. An article published last year referenced the results of a PricewaterhouseCoopers (PwC) study presented to the participants of a recent PCI Security Standards Council community meeting.
According to the article, the purpose of the study was “to identify a number of technologies that retailers may be able to leverage to reduce their scope in complying” with the PCI DSS. It continued by saying that PwC evaluated 12 technologies and took a deeper look at four: end-to-end encryption, tokenization, magnetic stripe imaging, and virtual terminals.
Based on their findings, it was determined that end-to-end encryption, which encrypts data from point-of-sale at the merchant across the processor’s network, may have the most success at reducing PCI compliance scope for merchants. It was further explained, “Tokenization, which replaces card numbers with a token or unique reference number, also has similar possibilities, and can help shift some of the risk and burden of PCI compliance.”
Those two technologies identified above-end-to-end encryption and tokenization-currently provide the best solution for companies. When considering whether to implement either technology, a company must always keep in mind that securing the data may not be their core competency. It will consume precious resources of time, money and personnel. Therefore, a company must evaluate if they will build their own solution or turn to a trusted third party to provide those solutions.
Mark Johnson is CIO of ProPay. Mark has over 24 years in the IT industry. Prior to joining ProPay in early 2008, Mark was senior vice president of IT and security officer for one of the nation’s Top 25 issuing and acquiring banks. Mark’s experience includes software development of financial systems for a multibillion dollar organization, director of computer science for a Salt Lake City-based junior college, and director of technology operations for FranklinCovey. Mark has also served in the United States Air Force as a statistician where he earned the Air Force Commendation Medal. Mark holds a Bachelor’s degree in Computer Science from Idaho State University and a Master’s degree in Business Administration from the University of Phoenix. Mark is also a Certified Payment-Card Industry Security Manager (CPISM). He can be reached at mark.johnson@propay.com.