Retailers struggling with the data encryption requirements of the Payment Card Industry standard have another option—deploying “compensating” controls like monitoring financial site activity, says Ted Julian of Application Security Inc.
Retailers struggling with meeting the stringent data encryption requirements of the Payment Card Industry standard have another option-so-called “compensating” controls such as monitoring financial activity on a retail web site, says Ted Julian, vice president of marketing for Application Security Inc., a database security firm.
To meet the PCI encryption requirement, retailers often have to overhaul their entire system or change the way they do business, Julian says.
“Encryption ranges from difficult to impossible for merchants and retailers to deploy,” he says, noting that older legacy systems typically won’t support it. “It is without question the most difficult of the PCI requirements to meet.”
But the PCI standard allows retailers to substitute less costly and more practical alternative methods if those alternatives achieve the same goal-protecting confidential customer data.
For encryption, one such compensating control is activity monitoring-watching the use of financial information in a retailer’s database, Julian says. “In the worst case scenario, you can detect a breach, contain it and intelligently respond to it,” he says. “In the best case scenario, you’re able to flag a reconnaissance attempt (in which crooks perform test transactions using stolen numbers) and, because you’ve done that in a timely and contextual fashion, prevent the ultimate breach.”
Setting up compensating controls for encryption can be less expensive, easier to do, and it yields more effective security than encryption would on its own, Julian says. Retailers also see a quicker return on their investment than with encryption, he adds.
“Security could be even better arguably because you’re able to prevent the breach, which is seemingly the whole idea of PCI, as opposed to focusing on making it difficult for criminals to make any use of what they’ve stolen,” he says. “The idea of encryption is maybe they can get the data, but we’re going to render it useless.”
Activity monitoring also causes less disruption of a retailer’s operations. “It’s not unusual for a fast encryption deployment to take six months to a year, and that’s just for your first one,” Julian says.
In contrast, a retailer could do a much more thorough and complete activity-monitoring deployment in about six to nine months, he says.