Dotting the i's on PCI Compliance

[1] BTN: Is payment card industry (PCI) compliance becoming easier or more difficult?

Wallace: PCI compliance overall is becoming more attainable. A lot of that is due to the nature of the process. We've got a good standards lifecycle in place and there's a methodology to update those standards in response to changes in the overall threat environment.

[2] BTN: What are some of the misperceptions of PCI compliance?

Wallace: Compliance technology can reduce the scope, but the technology's not a requirement. Many merchants have been told 'you have to buy the xyz tech to be PCI compliant' but that's not true. And, also, the technology doesn't replace the PCI. Just because you've deployed point-to-point encryption, you still have to perform the PCI validation requirements that are appropriate to your business.

[3] BTN: What are some of the important initial steps that merchants should take before embarking on a PCI compliance initiative?

Wallace: Before you embark on a tech purchase, you have to conduct a business process review into what cardholder data you are storing, and look for ways to reduce or eliminate the presence of cardholder data in your environment and to look at ways to reduce costs.

[4] BTN: You've highlighted a number of the tech options available to aid in PCI scope reduction. What makes 'masking,' for example, effective in reducing PCI compliance costs?

Wallace: The instant your accounting or finance folks go online to look at cardholder data, if they see the card numbers across their screen, these activities potentially expand PCI audit scope. If I mask the data, they are getting cardholder data, but not actual 'cardholder data,' so it frees the firm from having 'scope creep.'

[5] BTN: Point-to-point encryption has gotten a lot of attention over the past year or so. Why is this security layer so important?

Wallace: We're seeing changes in the threat environment toward malware that looks for card data as it comes into a keypad or a USB or serial port. The private key (which decrypts the card data) can be held by a third party in point-to-point encryption, so the merchant never possesses the cardholder data.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER