November 1, 2007, 12:00 AM

Company offers alternative to meeting payment data encryption requirements

Retailers struggling with the data encryption requirements of the Payment Card Industry standard have another option—deploying “compensating” controls like monitoring financial site activity, says Ted Julian of Application Security Inc.

Paul Demery

Managing Editor, B2B E-commerce

Retailers struggling with meeting the stringent data encryption requirements of the Payment Card Industry standard have another option-so-called “compensating” controls such as monitoring financial activity on a retail web site, says Ted Julian, vice president of marketing for Application Security Inc., a database security firm.

To meet the PCI encryption requirement, retailers often have to overhaul their entire system or change the way they do business, Julian says.

“Encryption ranges from difficult to impossible for merchants and retailers to deploy,” he says, noting that older legacy systems typically won’t support it. “It is without question the most difficult of the PCI requirements to meet.”

But the PCI standard allows retailers to substitute less costly and more practical alternative methods if those alternatives achieve the same goal-protecting confidential customer data.

For encryption, one such compensating control is activity monitoring-watching the use of financial information in a retailer’s database, Julian says. “In the worst case scenario, you can detect a breach, contain it and intelligently respond to it,” he says. “In the best case scenario, you’re able to flag a reconnaissance attempt (in which crooks perform test transactions using stolen numbers) and, because you’ve done that in a timely and contextual fashion, prevent the ultimate breach.”

Setting up compensating controls for encryption can be less expensive, easier to do, and it yields more effective security than encryption would on its own, Julian says. Retailers also see a quicker return on their investment than with encryption, he adds.

“Security could be even better arguably because you’re able to prevent the breach, which is seemingly the whole idea of PCI, as opposed to focusing on making it difficult for criminals to make any use of what they’ve stolen,” he says. “The idea of encryption is maybe they can get the data, but we’re going to render it useless.”

Activity monitoring also causes less disruption of a retailer’s operations. “It’s not unusual for a fast encryption deployment to take six months to a year, and that’s just for your first one,” Julian says.

In contrast, a retailer could do a much more thorough and complete activity-monitoring deployment in about six to nine months, he says.


Sign In to Make a Comment

Comments are moderated by Internet Retailer and can be removed.

Not a member? Signup for free today!




Relevant Commentary


Sergio Pereira / B2B E-Commerce

Quill turns to its B2B customers for new ideas

Coming in April is a new section of that will let customers and Quill ...


Charles Nicholls / E-Commerce

E-mail remarketing: three best practices to maximize revenue

Consumers who make it to the shopping cart are interested in buying. The chief strategy ...