Payment Card Industry Data Security Standards Expected to Evolve Based on Continued Data Breaches

Thales and Ponemon Institute Reveal Research Study Identifying Key Areas and Predictions on Changes to Security Standards Enabling Auditors to Start to Prepare for October 2010 Announcement

InfoSecurity Europe, London UK, Weston, Florida – April 27, 2010 (AllPayNews) –  Thales (Paris: HO), leader in information systems and communications security, today announced the results of a research study about the upcoming version of the Payment Card Industry Data Security Standards (PCI DSS). This new set of standards is expected to be released in October 2010 by the PCI Security Standards Council. Based on surveys with 155 Qualified Security Assessors (QSAs), the following trends and key findings were identified:

- Encryption is one of the most effective means for achieving compliance but questions arise on how to treat encrypted data in audits. It is believed that clarifications will be issued on the use of encryption and key management.

- 41% of those surveyed believed tokenization will be included in the update as the technology to use to increase cardholder data security and reduce cost of compliance.

- Tier 1 merchants are paying $122,000 more on average than Tier 2 merchants to do the same QSA assessments.

The Ponemon Institute, an information-management think tank, designed the survey to focus on identifying trends, recommendations and preferences of QSAs involved in PCI DSS compliance. Specifically, the survey questions focused on the background, experience, client observations, expected changes in PCI DSS, preferences on how to achieve compliance, and typical client recommendations. The results are available in this newly released report, sponsored by Thales entitled: PCI DSS Tends 2010: QSA Business Report. The report can be downloaded atwww.thalesgroup.com/iss

“Our research continues to validate that 60 percent of QSAs believe encryption to be the most effective means to protect card data end-to-end, and 41 percent of QSAs said that controlling access to encryption keys is the most difficult key management task faced by clients using encryption. It remains clear that QSAs consider encryption to be one the best techniques merchants can use to keep information safe and comply with PCI requirements. The current version of the standard, however, is ambiguous about how exactly encrypted data should be treated in audits, so QSAs seem to be confident that the October 2010 update to PCI DSS will provide clarity,” says Dr. Larry Ponemon, chairman and founder of The Ponemon Institute.

Our Device 3DES and End to

End DUKPT Encrypts

the Data at the Maghead

In addition to clarification about encryption and key management, the survey revealed that QSAs expect tokenization to be the new technology most likely included in the PCI DSS update. In 2009, The PCI Security Council commissioned a PricewaterhouseCoopers study to examine whether four emerging technologies showed potential to enhance data security and reduce compliance costs: tokenization, end-to-end encryption, virtual terminals and card management solutions. “41 percent of QSAs believe tokenization is the most likely of these technologies to be addressed in the PCI update, while 28 percent said end-to-end encryption is the most likely, 13 percent said virtual terminals and 9 percent said magnetic stripe imaging,” continued Ponemon. “Only 11 percent of QSAs believe that none of the technologies considered will be included in the PCI DSS updates.”

The research also revealed that on average, Tier 1 merchants pay about $122,000 more than Tier 2 merchants for QSA assessments. As uncovered in the previously issued QSA Insights Report, the average cost of an annual QSA audit—the fees paid to QSAs for assessment services—for Tier 1 merchants is about $225,000. The complete research results reveal that an annual assessment for Tier 2 merchants averages $103,000 and for Tier 1 service providers, such as large payment processors, the average cost of an annual on-site QSA assessment is $204,000.

“Complying with PCI DSS requirements is a great first step toward protecting cardholder information, but as new threats emerge and attacks become more sophisticated, it is important that PCI DSS and the technologies used to safeguard data evolve as well,” says Franck Greverie, Vice President for the information technology security activities of Thales. “By offering merchants insight into the new requirements likely to be included in the PCI DSS update and the current solutions in the marketplace to address these risks, this survey enables organizations to deploy the necessary technologies before the update is issued to give them a head start to enhance compliance efforts and, most importantly, better protect sensitive cardholder data.”

Dr Larry Ponemon of the Ponemon Institute, Tim Holman, QSA and Chief Technology Officer at Blackfoot UK, and Bryta Schulz of Thales will discuss the results of this survey at InfoSecurity Europe (27-29 April 2010, Earls Court, London) in a panel discussion entitled “Wrestling with PCI DSS Compliance - A Unique Look at Achieving Compliance From An Auditors' Perspective” (Tuesday, 27 April at 11:00 a.m.). Thales is available at Stand F35 at InfoSecurity Europe to provide additional information about the survey and to discuss other issues relating to your security needs. Attendees can also pickup their free copy of the new book, PCI Cardholder Data Protection for Dummies.

Visit our digital media centres www.keymanagementinsights.com and www.paymentssecurity.com for industry issues and comment.

Notes to editors

The Information Technology Security activities of Thales

Thales e-Security is a leading global provider of data encryption solutions to the financial services, high technology manufacturing, government, and technology sectors. With a 40-year track record of protecting corporate and government information, Thales solutions are used by four of the five largest energy and aerospace companies, 22 NATO countries, and they secure more than 70 percent of worldwide payment transactions. Thales e-Security has offices in France, Hong Kong, Norway, United States and the United Kingdom. For more information, visit www.thalesgroup.com/iss.

About The Ponemon Institute

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About Thales

Thales is a global technology leader for the Aerospace and Space, Defence, Security and Transportation markets. In 2009, the company generated revenues of 12.9 billion euros with 68,000 employees in 50 countries. With its 25,000 engineers and researchers, Thales has a unique capability to design, develop and deploy equipment, systems and services that meet the most complex security requirements. Thales has an exceptional international footprint, with operations around the world working with customers as local partners. www.thalesgroup.com