One positive point of the last year's troubles is that data security now has the attention of C-level executives, as stopping data breaches also means job security for those executives, said Stephen W. Orfei, the incoming general manager of the PCI Council.
Also, all of the breaches of the last year could have been prevented, Orfei said. The industry is looking at ways to "devalue" payment card data, or modify it so that it would be useless if it fell into the hands of criminals, he said.
One of those technologies is point-to-point encryption, which involves encrypting card data immediately after it is collected. Many of the recent data breaches have been attributed to malware that collects the remnants of card data from a computer's RAM. The data would be unusable if encrypted.
Point-to-point encryption isn't mandatory in PCI-DSS 3.0, but it is a standalone recommendation, said Troy Leach, CTO of the PCI Council. "We have looked at the future and what version 4.0 may bring, and that is a likely possibility," he said.
Also in discussion is wider use of tokenization, Orfei said. Tokenization involves using a numerical representation of a real payment card number to authorize payments. If intercepted, the token wouldn't be of use to criminals to authorize further transactions, unlike a full card number.
"If you think about it, the technology is there now," Orfei said. "You can actually devalue the data, and that is the end game."
Sign up for Computerworld eNewsletters.