"Through software-based encryption, you're performing encryption in memory, and that memory is highly susceptible to memory scraping," he said. "That is a vector of attack that has been used in almost every cardholder data breach of the last 18 months."
Hardware-based encryption, by comparison, puts the encryption mechanism -- the plain text data -- inside a hardware security module that self-destructs if tampered with.
"Bluefin stands firmly on the belief that only hardware-based encryption provides adequate controls to address the attack vectors prevalent in the industry today," he said.
Bluefin used to be on the other side, he added.
"When the PCI standard was first released, we had a software-based solution in place, and had to look at what PCI was recommending," he said. "We decided that the new standard represented better cardholder protection."
Two and a half years and several million dollars of investment later, Bluefin has replaced its software-based encryption with hardware.
"Ease of deployment is only a concern for encryption providers who fail to comply with the new standards and continue to use older technology to perform their encryption and decryption," said Pfanstiel.
Today, there are currently over 160 validated devices that support hardware-based encryption, he said. "And the list grows every day."
Sign up for CIO Asia eNewsletters.