Home Category Region Publishers About Us Contact Us
Japanese Korean Chinese
Home > Market Research Report > Banking > Payment Card > Merchant Security, Tokenization and the Fairy Tale of Outsourcing PCI
Category
Banking (1583)
Banking Service (484)
Credit & Loan (169)
Insurance (340)
Investment (116)
Payment Card (293)
Wealth Management (111)
Market Research Report

Merchant Security, Tokenization and the Fairy Tale of Outsourcing PCI

Published by Mercator Advisory Group, Inc.
Published March, 2009 Product code 83754
Content info 28 pages, 6 exhibits & 4 tables.
Price
US $ 2950 PDF by E-mail (Single User License)


Merchant Security, Tokenization and the Fairy Tale of Outsourcing PCI published by Mercator Advisory Group, Inc. in March, 2009. This report consists of 28 pages, 6 exhibits & 4 tables. and the price starts from US $ 2950.

Introduction

Abstract

Boston, MA. - March 18, 2009 - Given the high cost of compliance and the operational risk of non-compliance, merchants are between the proverbial rock and hard place. Merchants are looking at how to mitigate both the cost of compliance and their risk profile. With Data breaches, fraud and the scope of PCI Compliance expanding, tokenization of card numbers has emerged as a trade-off rich approach for merchants.

A new report from Mercator Advisory Group' s Emerging Technologies Practice, Merchant Security, Tokenization and the Fairy Tale of Outsourcing PCI looks at merchant strategies to meet and lower their PCI compliance burden and examines tokenization in great detail.

Based on the findings of this research report, it' s Mercator Advisory Group' s position that merchants can improve their risk profile and lower PCI compliance costs through third party storage of card data. That said, choosing the tokenization vendor to provide that service requires careful selection and evaluation of the trade-offs involved.

"Going down the tokenization path requires an eyes-wide-open process to balance PCI compliance cost avoidance against business continuity risk," comments George Peabody, Director of Mercator Advisory Group' s Emerging Technologies Advisory Service and author of the report. "Not only are there risks with reliance on third party operations, the decision should be made considering the enterprise' s information security strategy and with the expectation that end-to-end encryption of card data may well become a PCI requirement in the future."

For merchants anxious to change their PCI compliance profile, Peabody states that the growing number of tokenization vendors and the range of delivery models that include card processing give merchants plenty of choices. Tokenization does require, however, varying levels of integration by the merchant running from the simple to months of recoding line of business applications.

Report Highlights Include:

  • As hackers continue to breach the payment network, the average cost per data breach now exceeds $6.65 million.
  • As new attack vectors are identified, the cost of PCI compliance rises in parallel, into the millions per year for large merchants.
  • Tokenization and the outsourcing of card number storage is a leading technique to limit the scope of a merchant' s PCI audit and to outsource liability in the event of a data breach, an appealing combination to cost conscious merchants.
  • Tokenization is available through multiple delivery models and a growing variety of vendors, from licensed software to outsourced providers including card processors.
  • End-to-end encryption may well be the end game recommendation of PCI and, if data breaches continue to plague the payments industry and occupy headlines, that recommendation may become a mandate within two years.

Companies Mentioned in This Report:

Shift4, Braintree Payment Solutions, Merchant Link, Electronic Payment Exchange (EXP), Paymetric, nuBridges, Elavon, Southern Data Comm, Heartland Payment Systems, RBS Worldpay, VeriFone, Semtek, Magtek, Magensa, Hypercom, Ingenico, Hannaford, TJX, Verizon, Oracle and Microsoft

This report contains 28 pages, 6 exhibits and 4 tables.

Table of Contents

Introduction

  • Outsourcing PCI is a Fairy Tale
  • End to End Encryption is Another Path
  • Not Just for Card Numbers

The Cost of Data Breaches

  • Reminder where the Problems Lie

The PCI Challenge

  • Keeping Up with PCI Requirements
  • Managementfs View on Security
  • Deciding What's Worse: PCI Enforcement or a Data Breach
  • The Never-ending Game of "Security Whack-a-Mole"

Tokenization

  • How Does Tokenization Work?
  • Encrypting the Pre Authorization
  • Tokenization in e-Commerce
  • Number Formats

Deploying Tokenization

  • Not Necessarily a Simple Switch

The Upsides of Tokenization

  • PCI Scope Reduction
  • Shifting the Liability and Risk
  • Saving the Merchant Money at the POS
  • Tokenization when Sharing Keys is Impossible

Tokenization Considerations

Changing Course is Hard to Do

  • It's MY Data
  • Not Another Third Party
  • It's a New Approach
  • The Fat New Target or Centralizing the Risk
  • So Many Token Types to Choose From
  • More than Token Account Control?
  • The Buffer in the Gateway

Costs and Savings

Vendor Considerations

Conclusions

  • What problem are we solving? PCI Compliance or data security?
  • Someone Else's Problem
  • Sustainability
  • What Else Is There to Protect?
  • The New Target?
  • Where Are We Headed?

Table of Figures
  • Figure 1: Hacker Attacks are Just 18% of Record Loss
  • Figure 2: Third Party Control Carries Risks
  • Figure 3: Tokenization at the POS
  • Figure 4: A Tokenization Scheme that circumvents the POS terminal
  • Figure 1: Hacker Attacks are Just 18% of Record Loss
  • Figure 2: Third Party Control Carries Risks
  • Figure 3: Tokenization at the POS
  • Figure 4: A Tokenization Scheme that circumvents the POS terminal
  • Figure 5: e-Commerce Tokenization is Straightforward
Back to Top