-
The payment industry's focus on adding encryption at the point of sale to protect card data is counterproductive. MagTek's CEO says that the PCI Council, in pushing advanced encryption,is doing more harm than good.
September 27
Though
Corporations working to achieve PCI compliance face the challenge of getting top management to understand its importance and to allocate appropriate funds, where necessary, to invest in consulting and new technology.
"PCI compliance is no longer just about protecting magnetic-stripe credit card data," says Jeremy King, European director of the PCI Security Standards Council, which maintains the standard. "It is gradually serving a broader approach to overall data security, as companies take a broader look at business processes in the data-security context."
And as more companies tackle data-security issues, they are turning to one another for help in surmounting obstacles, King says.
"The most surprising thing about how PCI compliance is evolving is the way companies from around the world, often in different industries, are asking each other, 'Tell me how you did that' and are getting creative ideas and [potential ways to resolve issues] from one another," he says.
The council's European security-standards community meeting is slated for Oct. 17 to 19 in London, King says.
Each company tends to have its own challenges, but one of the most common problems organizations share when tackling PCI compliance is the difficulty integrating new data-security processes with older information-technology systems that often are costly to replace, King says.
"When trying to protect card data … it can be costly to replace legacy systems and many companies are struggling with this," King says.
Many corporations with franchise operations also are asking questions about how they can get franchisees to help shoulder the cost of new payment terminals and data-security technology, King says.
PCI compliance is such a widely varying task, based on each company's own structure and reach, that the council cannot provide specific roadmaps for its members, King said.
"It's very difficult to generalize about what any company needs to do to achieve PCI compliance, but there are certainly some common learnings, and merchants are coming together at community meetings like these to share information," he said.