By Jeff Zimmerman
Many of the worst data breaches in history had nothing to do with a failure to be PCI compliant; they resulted from weaknesses in the payment security infrastructure.
While PCI compliance is necessary and useful, it’s not always sufficient to be fully secure. To counter this, independent software vendors (ISVs) must adopt a layered security approach that uses EMV, encryption technology, and tokenization in addition to keeping up with PCI compliance requirements. This is the only way for ISVs to ensure complete protection for themselves and their clients.
In addition to PCI compliance, the three additional, and essential, components of layered security are:
EMV technology. This prevents counterfeit card fraud for card-present transactions with chip technology. However, it cannot protect card data in card-not-present environments like e-commerce websites.
Encryption technology. This protects card data in flight at the point of sale for card-present transactions when cards are swiped, dipped, or keyed into an encrypted device.
Tokenization. This allows businesses to limit their exposure to sensitive card data by storing a randomly generated code called a token instead of cardholder data. In the case of a breach, a token is worthless to a fraudster. This is a benefit for businesses that need to store card data on file, but it only protects information at rest. It leaves data vulnerable at the point of sale, which is why it should be used along with encryption and EMV technology.