Data is the New Currency

In today’s digital world, data is currency. Nowhere does this phenomenon show itself more clearly than in the world of payment transactions. Payment forms have taken a variety of identities from mobile pay, cryptocurrency, stored transactions, in-app transactions, money transfer apps, etc. And, yes, credit cards are still used, albeit with a few new features such as chip and pin number. 

This payment data, combined with other consumer information, has become the lifeblood for businesses wishing to make informed decisions about what to sell, who to sell it to, where to sell it and how. The requirement for securing payment transactions has become so much more than preventing financial theft. Payment security from beginning to end becomes necessary to enable consumers to comfortably operate in a digital ecosystem, enable businesses to rely on their information to make intelligent business decisions and to protect privacy and intellectual property. Transaction security enables digital prosperity, and a new evolution is needed in how we think about payment security. 

Beginning in the late 1990s, it became apparent that information security standards were necessary to protect credit card holder information. By 2004 the five major card brands and some of the best and brightest in the cyber security industry got together to form the first Payment Card Industry Data Security Standard (PCI DSS), an information security standard for organizations that handle branded credit cards from the major card schemes. This was a foundational moment for the security industry and business, and it drove (and continues to drive) the majority of information security spending in the retail, travel and hospitality sectors. Were it not for this collaborative effort and the continuous updates to the standard, the newsworthy breaches we read about today would be a daily occurrence and confidence in our digital payment infrastructure probably wouldn’t exist. The PCI standard gave us a well-defined series of controls and made them a minimum expectation for securing a credit card transaction. We’re all in better shape because this standard exists. 

Other, perhaps less well-known standards to those outside of the cyber security industry have also come together to improve our posture when it comes to payment security. Examples would include the Payment Card Industry PIN Transaction Security (PCI PTS), Payment Card Industry Payment Application Data Security Standards (PCI PA-DSS), Europay, Mastercard, Visa (EMV), Point to Point Encryption (P2PE) and other technical, engineering and regulatory standards. 

These standards are necessary and continue to drive innovation in payment security, yet we in the cyber security industry still find ourselves struggling to prevent breaches, we still find ourselves defending our budgets against the daily news cycle and our business environments are changing rapidly. We have to evolve our approach from simply being compliant with standards (which is necessary and good), to securing payment transactions from start to finish.   

In the white paper, Building a Secure Payment Lifecycle, Optiv expands upon the 12 Payment Card Industry Data Security Standard (PCI DSS) requirements, and it describes additional considerations that influence merchants’ ability to attain not only compliance but also solve top payment security challenges.