Top Tier Merchants and the Challenge of Card Data Security

New insight into the issues posed by PCI and card number security for merchant category leaders provides guidance and cautions

For merchants, payment card security has two meanings. First, it means protecting payment card data from hackers. It also means getting out from under the threat of the high fines involved should a data breach happens. But thinking about PCI-related costs requires steps that balance cost against real data security and against the financial costs of a data breach. As security best practices demand layered defenses, the complexity of up-front decision making continues to rise.

Encryption, Tokenization and the Top Tier Merchant: A Progress Report on PCI, Deployment and the Cost of Payment Security is the latest report from Mercator Advisory Group on payment card security. An in-depth look at the card payment issues confronting large merchants in particular, the report addresses the complexities and pitfalls of PCI compliance in an era of changing and evolving security standards. The report concludes with a discussion of security pricing and what to expect from the next version of the PCI data security standard.

The Top Tier Merchants and the Challenge of Card Data Security report includes discussion of the following topics:

Security Technologies: EMV, Tokenization, and Encryption reviews these technologies and their roles in the US and beyond.

Security and Business Intelligence addresses the downside of outsourced security

Large Merchant Guidelines and Lessons Learned

Vendor Landscape and Shifting Business Models.

Highlights of the report include:

Despite some expectations to the contrary, EMV is not a single “silver bullet” solution for PCI scope reduction or card number security in particular. While card number tokenization options have been available for nearly a decade, card number encryption techniques are only now ramping up in live operations.

Large merchants in particular face daunting complexity when choosing PCI scope reduction techniques. Thorough planning is required that includes close coordination with all internal stakeholders as well as external vendors and processing providers.

PCI DSS 1.3, the next version due out this year, will provide greater guidance on EMV, encryption and tokenization but is hardly prescriptive due, in no small measure, to the complexities of securing enterprise-scale payment systems.

Global payment security efforts are shifting geographies with EMV under close consideration for the USA and PCI DSS mandates heading to Europe and other markets.

"Payment card security concerns, and the sharp stick that is PCI compliance, will drive merchant and processor security decisions for years to come," George Peabody, Director of Mercator Advisory Group's Emerging Technologies Advisory Service and principal analyst on the report comments. "For the largest merchants, that decision-making process is especially complex as the number of moving parts, both within the enterprise and across its vendor borders, makes planning crucial. This report provides guidance based on card number encryption and tokenization deployments."

Companies mentioned in the report include: SecureWorks, Fifth Third Processing Solutions, Heartland Payment Systems, First Data, Voltage Security, Braintree Payment Systems, Adyen, MerchantLink, Shift4, Electronic Payment Exchange, CyberSource, ProPay, Planet Payments, nuBridges, RSA, VeriFone Systems, Semtek, Thales, MagTek, Visa, MasterCard, AMEX, Discover, UN Federal Credit Union.

One of the 5 Exhibits included in this report:

This report contains 28 pages and 4 exhibits.

Members of Mercator Advisory Group have access to this report as well as upcoming research for the year, presentations, analyst access and other membership benefits.

Please visit us online at

For more information, please call Mercator Advisory Group's main line: 781-419-1700 or send email to