Credit card data security standard goes into effect
But there are concerns about its implementation
Computerworld - The Payment Card Industry (PCI) data security standard being pushed by MasterCard International Inc. and Visa U.S.A. Inc. went into effect today for all merchants handling credit card data, but concerns remain about its implementation and compliance validation.
Under PCI, all companies that accept credit cards are required to comply with 12 security-related requirements that call for, among other things, encrypted transmission of cardholder data, periodic network scans, logical and physical access controls, activity monitoring and logging.
PCI also includes procedural mandates. For example, it requires companies to implement formal security policies and vulnerability management programs. The standard unifies two previously separate sets of requirements -- Visa's Cardholder Information Security Program and MasterCard's Site Data Protection program.
Acquiring banks, which grant merchants the approval they need to accept credit cards, are responsible for ensuring that merchants are compliant with PCI, and they could face up to $500,000 in fines per incident if data is compromised.
While the PCI standard incorporates sound security practices, there are several issues that still need to be addressed, analysts said,
One big shortcoming is that for a majority of the companies, compliance validation is based on self-assessments rather than third-party audits, said Ivan Remsik, an analyst at Cambridge, Mass.-based Forrester Research Inc. Only the largest merchants -- those processing over 6 million MasterCard or Visa transactions a year -- are required to submit to formal PCI compliance audits involving formally trained security specialists, Remsik said.
All others just have to answer 75 yes-or-no self-assessment questions that are difficult to review quickly or analyze for inconsistencies, Remsik said.
As a result, service providers with similar information risk profiles but small differences in transaction volumes are subject to very different compliance requirements, he said.
"Security is not something that can be assessed in 20 to 30 minutes with a self-assessment questionnaire. My view is that it would be very difficult to determine whether a merchant is telling the truth or not" without additional controls, Remsik said.
An even bigger issue is the fact that acquiring banks can do little to monitor compliance with PCI requirements, said Avivah Litan an analyst at Gartner Inc. in Stamford Conn.
"There are some really good security principles in PCI. The problem is that acquiring banks are in way over their heads when it comes to implementation," Litan said. They are not equipped to monitor compliance and are likely to have little understanding of PCI's requirements or mitigating controls, she said.
In a May online survey of about 3,500, small, midsize and large companies by Stamford, Conn.-based database security vendor Protegrity Inc., more
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
Enhance Your Virtualization Infrastructure With IBM and Vmware
Date: Wednesday, May 14, 2014, 1:00 PM EDT
Virtualization technology is now expanding beyond the server compute elements to encompass networking and storage...
All Privacy White Papers |
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!