On May 20, the Payment Card Industry Security Standards Council (PCI SSC) announced its new board of advisors … and I’m honored to be one of the members selected to serve for the 2011-2013 term.

Despite recent debates on the topic of credit card security, there is one thing security experts and analysts agree on — the need for end-to-end encryption.

It’s no secret the payments ecosystem is vulnerable. Much like the Internet, the payments infrastructure was developed for connectivity — not for security. Now, in the face of serious threats, the industry is playing catch up to safeguard it.

Today, wherever you see mention of payment card data security, “encryption” is sure to follow. Industry analysts, like Gartner’s Avivah Litan, are vocal in their support of end-to-end encryption. In a recent Computerworld blog, she notes, “End-to-end encryption … is a good security practice, but one which is not mandated.”

Before we can reach the point of requiring merchants to implement end-to-end encryption, we must address the nature of encryption itself. Not all encryption is created equal. Software-based encryption is a nice to have, but not as secure as hardware-based encryption. Encrypting data after it has passed through a merchant system in the clear is quite different than encrypting data the moment a card is swiped in a hardware-protected tamper-resistant security module (TRSM). Protecting data during disparate stages of the transaction lifecycle, like point-to-point encryption, is hardly the same as protecting it continuously throughout the entire lifecycle, like true end-to-end encryption.

This is exactly why the industry needs encryption standards. By providing standard security requirements to govern the use of encryption to secure payment card data, merchants will be able to know plain and simple if they’re protecting their businesses from the reputational and financial risks associated with data breaches.

Last year, the Secure POS Vendor Alliance introduced its end-to-end encryption security requirements for vendors of POS devices.  The American National Standards Institute (ANSI) accredited standards committee, ASC X9 F6, is close to completion of a true standard. These are significant steps in the right direction.

Encryption standards can’t come soon enough, but the lack thereof shouldn’t stop business owners from implementing true end-to-end encryption solutions today.

Congratulations to Bob Carr, Heartland’s chairman and chief executive officer, on his re-election as Associate Member Director of the Secure POS Vendor Alliance (SPVA)! We also extend a warm congratulations to the rest of the Board:

• Paul Rasori – SPVA Chairman
  VeriFone, Senior Vice President, Global Marketing
• Christopher Coonen – SPVA Vice Chairman / Chief Technical Officer
  Ingenico, EVP, Global Solutions, Sales & Marketing
• T.K. Cheung – SPVA Secretary / Treasurer
  Hypercom, VP Global Quality & Security
• Thomas Xu – SPVA General Member Director
  PAX Technology, Ltd., Vice President, Marketing & Sales

The SPVA has been instrumental in strengthening payment security standards across the globe with its end-to-end encryption security requirements targeted for vendors of POS devices. Under the guidance of these leaders, the SPVA is sure to continue making significant contributions to the security of the paymens ecosystem in 2011 and beyond.

The announcement of Visa’s Technology Innovation Program has merchants across the globe excited and intrigued. In its February 9 statement, Visa formally introduced this international program that encourages the use of EMV chip technologies for enhanced data security. It even cites that merchants will be exempt from annual PCI DSS validation provided:

• At least 75% of their Visa contact and contactless card transaction originate from EMV chip-enabled terminals
• They have either previously validated PCI DSS compliance or have provided a plan to come into compliance
• They have not been involved in a recent material breach of cardholder data.

We’ve seen a few recent news stories reporting that many small business owners think cybercrime won’t happen to them, and while we agree merchants need to be better educated on the topic and the real risks, we’re witnessing a trend that shows many are taking security threats seriously — and taking action to protect themselves.