How Fast Is Fast Enough For Encryption?

There's a very wise business adage that instructs customers to not judge a vendor by the mistakes that it makes nearly as much as by how it deals with mistakes once it makes them.

Last week, StorefrontBacktalk ran a story chastising a security vendor, Shift4, for having issued a news release that said retailers using its products wouldn't have to worry about PCI requirements because they would be excluded.

Those retailers, of course, still have to deal with PCI and Shift4—in an impressive move—paid to issue a corrected news release admitting its error.

So they score 10 points for having the integrity to fix an error. But the core issue involved is still unresolved. Shift4's argument is that they put their software in the very front of the software process, allowing the data to be encrypted so early as to supposedly prevent interception.

Some argue, though, that only by securing the swipe hardware itself can a transaction be considered even remotely secure. In a good example of how Comments should work, a Shift4 manager and a rival security executive argued the pros and cons of these approaches. It's a discussion very much worth reading.