April 29, 2010, 12:35 PM

New payment security rules may focus on using tokens to mask card data

41% of payment security professionals polled in a new study say they think upcoming payment security standards slated for release in October will promote turning cardholder data into a token to keep it secure.

Katie Evans

Managing Editor, International Research

41% of payment security professionals polled in a new study say they think upcoming payment security standards slated for release in October will promote turning cardholder data into a token to keep it secure. The process, called tokenization, replaces payment data with a code so that a merchant never sees or stores customer account data on its own computer network, and instead maintains the data in a secure database, often maintained by an outside security firm.

The poll of 155 payment security auditing firms also found that bigger merchants are shelling out more to keep their payment data secure. Tier 1 merchants, or the merchants with the highest payment processing volumes (six million transactions or more annually), pay $122,000 more on average than Tier 2 merchants (those processing from one million to six million card payments annually) for payment security assessments, the study says. On average, Tier 1 merchants pay about $225,000 for payment security audits, compared with $103,000 for Tier 2 merchants. Additionally, 10% of merchants are spending $500,000 or more annually on payment security audits. The largest service providers, such as major payment processors, pay on average about $204,000 for payment security assessments, the study says.

As for the security practices in place today, 60% of auditors say end-to-end encryption is the most effective means to protect cardholder data. 35% say tokenization is the best method. Meanwhile, 41% feel controlling access to encryption keys is the most difficult task for merchants that encrypt data.

End-to-end encryption is the act of encrypting card data throughout the payment lifecycle from the time a card transaction is captured, through processing, and as long as it’s necessary to keep cardholder data on hand.

While auditors deem encryption effective, many companies are confused about encryption procedures, says Larry Ponemon, chairman and founder of The Ponemon Institute, which conducted the study on behalf of security firm Thales. Therefore, most professionals believe the new payment security standards will offer more clarity on how encrypted data should be treated in security audits, he says. Other notable findings in the study include:

  • The three most difficult payment security requirements for businesses to meet are: Restricting access to cardholder data, developing and maintaining secure systems and applications, and tracking and monitoring all access to network resources and cardholder data.
  • Firewalls and encryption were reported as the most effective technologies for achieving compliance.
  • The three most common reasons business keep payment data on hand are: for handling chargebacks, providing customer service and processing recurring subscriptions.
  • Cardholder data is most at risk when traveling across merchant networks and when stored in databases, according to auditors.
  • On average, just 2% of companies fail security compliance audits outright.
  • 42% of companies are not making data security a strategic priority, 51% are not proactively managing data privacy and protection, and 54% are overwhelmed by the cost of compliance.
  • The two systems that hold payment data most at risk to being exposed are merchant networks and merchant databases.
  • The three most important security rules according to auditors are: Restricting access to cardholder data, regularly testing security systems and processes, and encrypting transmission of cardholder data across open, public networks.


Sign In to Make a Comment

Comments are moderated by Internet Retailer and can be removed.

Not a member? Signup for free today!




Relevant Commentary


Jason Squardo / Mobile Commerce

Five tips for achieving high mobile search rankings

Searches on mobile devices will soon exceed those on computers, Google says. Retailers that keep ...


Sergio Pereira / B2B E-Commerce

Quill turns to its B2B customers for new ideas

Coming in April is a new section of Quill.com that will let customers and Quill ...