The Green Sheet Online Edition
January 12, 2009 • Issue 09:01:01
Shift4 podcast available
Shift4 Corp., a supplier of secure payment processing services, now offers the podcast "Trying to protect payment data when you can't even find it all." Produced in partnership with StorefrontBacktalk, an online resource focused on retail technology and e-commerce, the podcast is available at www.shift4.com.
The resource is intended to help merchants simplify Payment Card Industry (PCI) Data Security Standard (DSS) compliance and achieve total security for their payment systems. The podcast captures a conversation between David Taylor, founder of the PCI Knowledge Base and former Security Analyst with Gartner Inc., and J.D. Oder, Shift4's founder and Chief Technology Officer. They discuss card information replacement technologies (CIRT) and how retailers can effectively evaluate alternative payment security solutions. The podcast also covers how information technology departments can regain control of their most sensitive data.
Oder noted that if people don't possess sensitive data, it can't be stolen from them. "I think the key here is to look at this as a very corporate-wide systemic approach and look at all of the data that you're storing, including payment data," he said.
"The less storage you put in the hands of individual employees, the less likely they are to be able to put data in a whole bunch of places, whether it's USB [universal serial bus] sticks on their PCs or in e-mail addresses sitting on their servers," Taylor said.
Keep it secret, keep it safe
Cardholder storage and security is a top priority of financial institutions. And lost cardholder information is a nightmare for payment professionals. According to Oder, sound in-house company security policies need constant review and revision. "You can strictly enforce things, but it's a moot point if the employee does everything right and the company infrastructure fails," Oder said. "The challenge we run into is that policy is simply words. But it's the actions and ability to stay focused on a day-to-day basis that keeps card data in control. Breaches happen when mistakes are made, but simplifying PCI means having the right technology in place."
Taylor believes one of the ways to do this is to move back to business architecture that entails centralized computing and virtual terminal devices. The less storage you put in the hands of individual employees, the less likely they are able to put data helter-skelter in data storage systems.
Taylor noted that it will be "incredibly expensive" to make the necessary changes. "What we really need to do is look at how we reduce the volume of data that is all over the place," he said. "Finding it and purging is a necessary thing. To avoid a regression, we have to greatly confine the sensitive cardholder data we have to as few locations as possible once we find it."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.