Payment Card Data Security's 2011 Highlights, Lowlights

In the realm of payment card data security, 2011 qualifies as the year in which "more" became a key term on many levels.

More vendors created more security devices and defense mechanisms, and more merchants became more aware that more defense mechanisms were needed. Unfortunately, more organized crime rings got more involved in unleashing more hacking attacks on payment networks.

The good news is that the number of breached payments records worldwide has fallen steadily the past few years, from a reported 361 million in 2008 to less than 4 million in 2010, according to Verizon Communications and U.S. Secret Service reports.

That decline illustrates the industry's heavier emphasis on security and reflects the positive impact of new products and new Payment Card Industry Security Standards Council guidelines and requirements.

The year produced several rounds of debate on security, spurred along by the PCI council's initiatives and Visa Inc.'s push last summer to bolster security by offering U.S. merchants incentives to reduce PCI compliance fees if they met deadlines to convert to the EMV contact and contactless cards common in Europe.

In an indication of heightened security awareness, Visa earlier in the year had issued its own study showing a high percentage of payment service providers were improving their PCI compliance.

In August the PCI council, of Wakefield, Mass., released guidelines for the tokenization security process. A month later it came out with requirements for use of advanced, or end-to-end, encryption, with an emphasis on the use of back-end hardware security modules.

As mobile payment devices became prolific, the need for defenses became more pronounced. The PCI council announced in October that it would offer testing for encryption use in new mobile devices manufacturers were developing or merchants were using.

While card data security at call centers and the creation of secure card readers in taxicabs and other transportation vehicles garnered attention, it was clear that mobile, online and cloud computing security would be hot topics in 2012.

To that end, the PCI council in November announced that special interest groups would study online and cloud computing security in 2012 to establish security compliance requirements and standards.

For reprint and licensing requests for this article, click here.
Consumer banking Bank technology
MORE FROM AMERICAN BANKER