Most security experts say encryption is the best way to protect payment card data, according to a report from Thales Group and the Ponemon Institute.
That several high-profile data breaches have occurred at companies that comply with the Payment Card Industry Data Security Standard shows "there is a sense that there is a difference between security and compliance," said Richard Moulds, the vice president of product strategy at Thales' e-security group. Being PCI-compliant "doesn't mean you are secure," he said.
Thales, a French electronic payments company, and Ponemon, a research group in Traverse City, Mich., collaborated on the survey of 155 security companies that assess PCI compliance. Sixty percent said data encryption is the most effective way to safeguard data. The report was released Tuesday.
A growing number of merchants are expressing interest in encryption, Moulds said, "even if it is not required by PCI."
The Payment Card Industry Security Standards Council intends to release an updated data security standard in October that many security assessors expect will clarify the trade group's position on encryption, said Larry Ponemon, the chairman and founder of the Ponemon Institute.
Without this guidance, there could be variation "that could be harmful to the quality of the" security standard process, he says. Some assessors may believe they can achieve security by working around encryption, and "that could be wrong. There could still be holes in the system," Ponemon said.