Abstract
Overview
The Payment Card Industry Data Security Standard (PCI DSS) raises the high
water mark for data security. But there' s a persistent myth that PCI
compliance equals security. The reality is that PCI is only a baseline, and
one that needs to be monitored constantly as the threat landscape changes. In
the months following what may be the largest the data breach in U.S. history
at Heartland Payment SystemsR, many people are wondering if PCI is effective.
In response, the PCI Security Standards Council has released new guidance
around risk-based compliance and Qualified Security Assessor (QSA) reviews and
remediation. But will these be enough to calm the concerns that merchants have
with PCI? This report includes an update of PCI, an overview of emerging
technologies, and lessons learned from the Heartland breach. Hashing,
tokenization, end-to-end encryption, and Chip and PIN are covered in depth.
Primary Questions
- Does PCI compliance equal security?
- Which are the most common requirements not met by previously PCI-certified
firms?
- What has been learned about the Heartland breach?
- How can merchants store PAN data without violating PCI?
- What are the emerging technologies that can help merchants take PAN data
out of scope for PCI compliance?
Methodology
This report is based on data collected online from a random-sample panel of
2,339 respondents in September 2008. The survey targeted respondents based on
representative proportions of gender, age and income compared to the overall
U.S. online population. Overall margin of sampling error is ±2.03% at
the 95% confidence level, for 2008.The report was also based on interviews
with executives from the PCI Council, Heartland, and eight security vendors.
Report Statistics
- Length: 49 pages, 25 charts/graphs
- Audience: Financial institutions, marketing, issuers, acquirers,
credit card networks; merchants, and security vendors
- Authors: Robert Vamosi, Research Analyst, Risk, Fraud and Security
| 
View Cart
