-
Large data breaches at companies like Global Payments (GPN) are just the tip of the iceberg of the financial industry's data security woes, says Steve Elefant, who was chief technology officer at Heartland Payment Systems (HPY) during its massive 2008 data breach.
April 9 -
Global Payments was considered PCI-compliant until hackers stole 1.5 million account numbers from it. So were two other breached processors. Banks may have to assume no third party is secure.
April 2 -
Unobtrusive until now, a set of unrelated security requirements is about to become pretty unpopular, and costly.
March 26
After any major data breach, the payments industry is
The Payment Card Industry data security standard affects any entity that handles card data (
"The merchant who is barely making a living will turn around and say, 'thanks for telling me about PCI, but there is no return on investment for me,' " says Suni Munshani, CEO of Protegrity USA. Those merchants seek ways around PCI compliance, he adds.
Because of the news about the Global Payments breach, among other factors, Munshani says the payments industry is prepared to "transfer the risk up the food chain" as processors accept more risk responsibility and keep data away from merchants.
Protegrity sells tokenization software, which keeps card data off merchants' payment systems by providing tokens, or a set of symbols that represent the card data, after card authorizations.
Card processors and acquirers are considering this technology, and many already provide it, says Adil Moussa, a senior analyst at Aite Group, a Boston-based consulting and research company.
"Some are giving tokenization away as part of the service; others see it as a source of revenue," Moussa says.
Similarly, Heartland Payment Systems (HPY) began promoting encryption (and began selling its own encryption service) after it suffered
When the United States shifts to EMV smart card and Near Field Communication technology, merchants will enjoy a liability shift anyway, Moussa says. "Expecting someone to offer tokenization and take the hit for any risk involved has a certain level of marketing spin to it," he adds.
Read