“Everyone recognizes that this is what they have to do,” Martin said. “Point-to-point encryption is the only way to reduce the value of stolen card payment data to zero.”

Martin – who holds a PhD in physics, developed a patent for a payment terminal diagnostic system and has years of experience developing data security systems – credited the retail industry's move to encryption to both the recognition of its necessity and the rise of available technology.

“Every point of sale terminal released over the last five years or so has, effectively, become a cryptographic device,” he said, adding that that makes the move much easier and less expensive. However, the switch to completely PCI-validated encryption has been a challenge, Martin said.

PCI-validated encryption spread slowly, Martin detailed, because the previous rules both made it very difficult for third-party vendors to validate their encryption programs against the PCI standard and, at the same time, mandated that merchants had to use one of those vendors for the decryption parts of the process if they wanted to have a PCI-validated system.

In other words, while a retailer could rely on the PCI-validated POS terminal to handle the initial encryption of the payment data, the rules said the retailer had to use a PCI-validated third-party system for the decryption of that data – it could not use its own decryption process or system, even if that process or system utilized PCI-validated equipment and systems.

Having PCI-validated encryption both gives the retailer a break on some of the PCI compliance audit requirements as well as guarantees the firm is using the gold standard of data protection, Martin said.

“It's not that non-PCI-validated encryption was bad, not at all,” Martin said. “But PCI-validated encryption is the gold standard. The first was good, but this is better.”

Martin explained PCI-validated encryption solutions have been validated every step of the way – during manufacturing, storage, sale, shipping and deployment – to ensure sure nothing sinister could have taken place to compromise the components.

The update allowed encryption providers to offer their solutions as PCI validated components rather than entire systems, Martin explained. Now, because encryption providers don't have to validate their entire systems against PCI, it is likely that many more of them will be available for retailers who are looking to upgrade to PCI-validated encryption.

Martin said he understood the concerns and skepticism about PCI DSS among some credit unions, particularly those that have seen their card fraud losses rise in the wake of this year's wave of breaches. However, he maintained his faith in encryption as the only true solution to the payment security problem, arguing that the payment system would still need to use encryption after cards equipped with EMV chips dominate the market.

“We have seen that EMV equipped cards are very effective against counterfeit card fraud,” Martin said. “But that just meant they have forced fraud onto the Internet and into card-not-present transactions.”

If hackers get data from EMV-equipped cards, that data will still be vulnerable for fraud at websites, he pointed out, and thus still valuable to thieves.

“Using EMV chips will reduce the value of card data to fraudsters, but it won't eliminate it,” Martin said. “It will not take that value to zero. Only encrypting the data so they can't use it will take that value to zero.”