Credit card data security standard goes into effect
But there are concerns about its implementation
Computerworld - The Payment Card Industry (PCI) data security standard being pushed by MasterCard International Inc. and Visa U.S.A. Inc. went into effect today for all merchants handling credit card data, but concerns remain about its implementation and compliance validation.
Under PCI, all companies that accept credit cards are required to comply with 12 security-related requirements that call for, among other things, encrypted transmission of cardholder data, periodic network scans, logical and physical access controls, activity monitoring and logging.
PCI also includes procedural mandates. For example, it requires companies to implement formal security policies and vulnerability management programs. The standard unifies two previously separate sets of requirements -- Visa's Cardholder Information Security Program and MasterCard's Site Data Protection program.
Acquiring banks, which grant merchants the approval they need to accept credit cards, are responsible for ensuring that merchants are compliant with PCI, and they could face up to $500,000 in fines per incident if data is compromised.
While the PCI standard incorporates sound security practices, there are several issues that still need to be addressed, analysts said,
One big shortcoming is that for a majority of the companies, compliance validation is based on self-assessments rather than third-party audits, said Ivan Remsik, an analyst at Cambridge, Mass.-based Forrester Research Inc. Only the largest merchants -- those processing over 6 million MasterCard or Visa transactions a year -- are required to submit to formal PCI compliance audits involving formally trained security specialists, Remsik said.
All others just have to answer 75 yes-or-no self-assessment questions that are difficult to review quickly or analyze for inconsistencies, Remsik said.
As a result, service providers with similar information risk profiles but small differences in transaction volumes are subject to very different compliance requirements, he said.
"Security is not something that can be assessed in 20 to 30 minutes with a self-assessment questionnaire. My view is that it would be very difficult to determine whether a merchant is telling the truth or not" without additional controls, Remsik said.
An even bigger issue is the fact that acquiring banks can do little to monitor compliance with PCI requirements, said Avivah Litan an analyst at Gartner Inc. in Stamford Conn.
"There are some really good security principles in PCI. The problem is that acquiring banks are in way over their heads when it comes to implementation," Litan said. They are not equipped to monitor compliance and are likely to have little understanding of PCI's requirements or mitigating controls, she said.
In a May online survey of about 3,500, small, midsize and large companies by Stamford, Conn.-based database security vendor Protegrity Inc., more
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Privacy White Papers | Webcasts