Wednesday, May 02, 2007

My TechTarget Article on TJX and Compliance

My article on the TJX breach and compliance mistakes came out today in SearchSecurity's Compliance newsletter.


Anonymous Anonymous said...

Let's look at some ways TJX and others could have avoided many of the PCI problems you cite:

Credit Card Security: The Best way to Secure Data is to not Store Data

By J.D. Oder II

As information security has become a major focus of consumers, governments and businesses alike, the care with which companies protect credit card data has become increasingly important. In many instances, the Achilles heel of data security is a lack of application controls.
Encryption alone is not the answer. With most of the encryption techniques, the same key is used to lock and unlock the data. The problem is: How do you secure these keys in the POS application? Once these keys are compromised, the "secured" data is no longer secure.
The best way to secure data is to not store data. A technology knows as “tokenization” offers a greater level of security by substituting a unique identifier (a token) for a card number, so the card data is never in the system. This token is a random unique value and has no way to be deciphered to gain knowledge of the associated card information. The primary objective of tokenization is to enable businesses to operate normally while not storing the sensitive data that is the target of data thieves.
With tokenization, the purchase starts off the same. The merchant swipes the card data and sends the information through a gateway to a processor and receives back from the processor an approval. Instead of sending the card data itself back to the merchant and the POS system, it is converted to a token: a globally unique, randomized representation of credit card data that is 16 characters long. Only the token is stored in the system.
The token spans the lifetime of the transaction so it provides full support for tips, tabs and incremental authorizations. The merchant does not need the card number or data past the initial request, so storing this information is unnecessary. The entire liability to protect the card data is now on the gateway, where it should be.
This technology also eases the burden of compliance for merchants. If no data is stored on site, the merchant has a significantly reduced PCI compliance burden.
# # #
J. D. Oder II is Vice President, Research and Development/CTO of Shift4 Corporation. Shift4 (, a leading developer of secure financial transaction processing software and services, provides secure, web-based, real-time enterprise payment solutions for the hospitality, retail, foodservices, auto rental, and e-commerce markets.

8:48 AM  

Post a Comment

<< Home