End-point encryption to revolutionise PCI compliance

End-point encryption is set to revolutionise Payment Card Industry (PCI) compliance requirements for retailers.

October 11, 2013

End-point encryption is set to revolutionise Payment Card Industry (PCI) compliance requirements for retailers by simplifying the process and providing increased levels of security.

Vaughan Alexander, Innervation Value Added Services Executive for payments, says that end-point encryption is a new standard issued internationally by the PCI council. It requires the encryption of card holder data in a payment transaction from the point of user interaction for where the card is used, right through to the authorisation of the transaction.

“PCI compliance has always been about protecting the card holder information including their name, card number and so on. However, currently, only the PIN number is encrypted in the transaction, the rest of the information is protected behind the network security of the retailer.

“This will change with end-point security, with the entire process being encrypted from when the card is used, right through to the transaction being delivered to the payment switching provider or bank,” he says.

The increased security of the transaction will also result in PCI compliance requirements being reduced to some degree, making it less onerous for retailers to be compliant.

The standard is currently being rolled out locally by banks and switching providers, with point of sale hardware manufacturers expected to issue new software shortly which will comply with the standard.

Furthermore, regulations issued by the Payments Association of South Africa (PASA) for the tokenisation of the credit card numbers have also increased security around card holder information.

“Instead of credit card information being printed on a slip, the transaction is tracked by a token, keeping the card holder’s information safe at all times,” he says.

These changes are expected to reduce the cost of PCI compliance to retailers in South Africa according to Alexander.

The focus for protecting the information will now move to the switching provider and or bank where the information is decrypted.

“Previously PCI compliance was simply a cost of doing business, but provided no inherent business value. However, end-point encryption will not only reduce the cost of PCI compliance but will provide increased value through the encryption of the cardholder data, thereby reducing risk and compliance costs to the retailer,” he says.