Coalfire Systems, a leading Payment Card Industry (PCI) Qualified Security Assessor (QSA), performed two independent assessments of our E3™ end-to-end encryption solution. The first report, released in November 2010, documented that using the E3 standalone terminal has the potential to reduce PCI scope by up to 79 percent. The second report, released in January 2011, documented that using the E3 magnetic stripe reader (MSR) wedge could eliminate the need for PA-DSS validation and has the potential to reduce PCI scope by as much as 69 percent. Both reports contained two tables:

1. The first table listed the 12 main PCI-DSS requirements and the potential scope reduction possible.
2. The second table detailed the possible scope reduction for all 200+ individual PCI-DSS requirements.

Within the 2011 Verizon Data Breach Investigation Report, there was a table based on post-breach reviews that documents the percent of investigated organizations that were compliant with each of the specific 12 PCI-DSS requirements. The table included data from the 2008, 2009 and 2010 Verizon reports as well as the 2010 PCI Compliance Report.

I thought it would be interesting to compare the table of PCI-DSS requirements as documented by Coalfire in the E3 assessments to the average of the four reports that Verizon listed (last column).

The Verizon RISK Team recently released its 2011 Data Breach Investigations Report. This year’s report included data from the U.S. Secret Service and the Dutch High Tech Crime Unit.  The data reported spans 761 investigated compromise incidents in 2010 and contained some interesting results, especially for the small and medium sized business. The report is very well done and a must-read for anyone in the business of protecting their customers’ data.

Here are some of the highlights:

• 92% of attacks were not highly difficult
• 96% of breaches were avoidable through simple or intermediate controls
• 89% of victims subject to PCI-DSS had not achieved compliance
• 83% of victims were targets of opportunity
• 57% of investigations were businesses with 11-100 employees
• 40% of breaches were in the hospitability industry (restaurants and hotels)

On May 20, the Payment Card Industry Security Standards Council (PCI SSC) announced its new board of advisors … and I’m honored to be one of the members selected to serve for the 2011-2013 term.

“This call is being recorded for quality-assurance purposes.” As consumers, we’ve heard it a million times and don’t think much of it. As business owners, it means more than quality control and customer service training assets. It’s also an indicator that you may be storing cardholder data in recorded call logs — and not even realize it.

Despite recent debates on the topic of credit card security, there is one thing security experts and analysts agree on — the need for end-to-end encryption.

It’s no secret the payments ecosystem is vulnerable. Much like the Internet, the payments infrastructure was developed for connectivity — not for security. Now, in the face of serious threats, the industry is playing catch up to safeguard it.

Today, wherever you see mention of payment card data security, “encryption” is sure to follow. Industry analysts, like Gartner’s Avivah Litan, are vocal in their support of end-to-end encryption. In a recent Computerworld blog, she notes, “End-to-end encryption … is a good security practice, but one which is not mandated.”

Before we can reach the point of requiring merchants to implement end-to-end encryption, we must address the nature of encryption itself. Not all encryption is created equal. Software-based encryption is a nice to have, but not as secure as hardware-based encryption. Encrypting data after it has passed through a merchant system in the clear is quite different than encrypting data the moment a card is swiped in a hardware-protected tamper-resistant security module (TRSM). Protecting data during disparate stages of the transaction lifecycle, like point-to-point encryption, is hardly the same as protecting it continuously throughout the entire lifecycle, like true end-to-end encryption.

This is exactly why the industry needs encryption standards. By providing standard security requirements to govern the use of encryption to secure payment card data, merchants will be able to know plain and simple if they’re protecting their businesses from the reputational and financial risks associated with data breaches.

Last year, the Secure POS Vendor Alliance introduced its end-to-end encryption security requirements for vendors of POS devices.  The American National Standards Institute (ANSI) accredited standards committee, ASC X9 F6, is close to completion of a true standard. These are significant steps in the right direction.

Encryption standards can’t come soon enough, but the lack thereof shouldn’t stop business owners from implementing true end-to-end encryption solutions today.