The PCI data security standard, or PCI-DSS, is pretty much a fact of life for many firms. Since its inception, there has been loads of debate about how effective PCI-DSS really is. There's also been a lot of debate about what constitutes "evidence of noncompliance." While it will never be a standard that can guarantee the safety of critical data and despite its recent public flogging, I think most would agree that we are better off with it. It's not going away anytime soon.

Indeed, we may be at a turning point. We've spoken about end-to-end encryption and tokenization in the past. It's fair to say some people are hopeful that this can take PCI-DSS to new levels of security and user confidence. We're likely to see more encrypted readers in the market and more comfort with tokens being used as proxies for actual card data. Information Week offers 5 tips for evaluating token and encryption vendors:

• Depth of knowledge: Ensure the vendor can demonstrate its products adhere to PCI guidelines.
• Level of commitment: You could end up locked in to the payment processor that provides your encryption or tokenization service. Can you live with that?
• Hard trumps soft: Systems that encrypt card data at the point of swipe using a hardware module are superior to point-of-sale terminals that perform encryption using only software.
• Ask for assurance: There are many potential points of failure. Shoddy key management, places in the processing chain where encrypted data is decrypted and re-encrypted, caches of clear-text card data outside your boundaries. Get audit results.
• Don't get complacent: Adopting end-to-end encryption and tokenization won't magically make you PCI compliant. Any business process that demands card data in the clear should raise a red flag.

Related Articles:
The PCI-DSS 2010 roadmap
Can you restore backed-up data?
Time for tokenization?