PCI Gotchas: 12-Year-Old Data And Publishing Encryption Keys

In retail security circles, the buzz these days surrounds card replacement techniques. The problem? All of the approaches sound pretty much identical until you get deep into the details, which is hardly practical when you're trying to triage a group of 30 vendors into a handful to truly explore.

StorefrontBacktalk held a podcast this week to try and figure out ways to make this process easier. Our own PCI columnist, David Taylor, pointed out that IT far too often leaves the financial folk—the comptroller, in particular—out of the decision process, along with the payment processor. Those are two players who you really want to keep involved.

Panelist J.D. Oder, the chief technology officer at Shift4, warned against approaches that don't try and protect data at all stages. For example, he spoke of some retailers who are using tokenization but are then "printing this token on the receipts, and it's a portion of their encryption keys and they're releasing those to the world." He also complained that the card brands are making the problem far worse by refusing to shorten how long their expiration dates are valid. "We now have to worry about data that's been there as many as 12 years." To hear the full discussion, please click here.