Don’t protect your data – devalue it

Instead of always being on the defensive when protecting cardholder data, companies should try a completely different approach – devaluing that data, Ruston Miles said.

Mr. Miles is the founder and chief strategy officer of Bluefin Payment Systems, a payment security platform supporting payment gateways processors and ISVs in more than 20 countries. We spoke about Bluefin’s PCI-validated point-to-point encryption (P2PE) solutions which encrypt cardholder data at the point of interaction in a PCI-approved P2PE device, with decryption completed off-site in an approved Bluefin Hardware Security Module.

Ruston Miles

P2PE is the answer to the malware attacks that have plagued companies like Home Depot, Mr. Miles said. It is also effective for healthcare and higher education, two industries with numerous separate vendors such as cafeterias, gift shops and administrative functions. Each of those components has its own payment system that has its security strengths and weaknesses.

One breach at the weakest point and everyone from the coffee shop to doctors are at risk, Mr. Miles said.

“With doctors, their name is their brand. Loyalty is very important.”

Bluefin takes a different approach, Mr. Miles said. The normal strategy companies employ is a defensive one where the focus is on keeping the bad guys out. They have proven adept at getting in, so why not leave them with nothing valuable to pursue?

“Instead of defending data, devalue it,” Mr. Miles said.

With P2PE, data gets encrypted on a one-time basis when the card is swiped at the merchant, so even if a hacker is successful at placing malware in a system, any information they get is useless to them. Frustrated, they move elsewhere instead of lying undetected for, in some cases, years before (if) they are discovered by other products.

Health care complexes and higher education campuses are their own cities with many moving parts. A brute force approach where you guarantee every unit has a proper level of security is unrealistic and very expensive, Mr. Miles said. He cited examples of organizations that in total have 335 separate security controls which they have to manage and comply with every day.

“If you can take that 335 down to 35 you cut out 90 per cent of security controls that are costly,” Mr. Miles said.

P2PE can quickly grow in popularity for one simple reason, Mr. Miles said.

“In the United States most terminals people bought have P2PE capability, but no one is telling the merchant about it.”