Credit card data security standard goes into effect
But there are concerns about its implementation
Computerworld - The Payment Card Industry (PCI) data security standard being pushed by MasterCard International Inc. and Visa U.S.A. Inc. went into effect today for all merchants handling credit card data, but concerns remain about its implementation and compliance validation.
Under PCI, all companies that accept credit cards are required to comply with 12 security-related requirements that call for, among other things, encrypted transmission of cardholder data, periodic network scans, logical and physical access controls, activity monitoring and logging.
PCI also includes procedural mandates. For example, it requires companies to implement formal security policies and vulnerability management programs. The standard unifies two previously separate sets of requirements -- Visa's Cardholder Information Security Program and MasterCard's Site Data Protection program.
Acquiring banks, which grant merchants the approval they need to accept credit cards, are responsible for ensuring that merchants are compliant with PCI, and they could face up to $500,000 in fines per incident if data is compromised.
While the PCI standard incorporates sound security practices, there are several issues that still need to be addressed, analysts said,
One big shortcoming is that for a majority of the companies, compliance validation is based on self-assessments rather than third-party audits, said Ivan Remsik, an analyst at Cambridge, Mass.-based Forrester Research Inc. Only the largest merchants -- those processing over 6 million MasterCard or Visa transactions a year -- are required to submit to formal PCI compliance audits involving formally trained security specialists, Remsik said.
All others just have to answer 75 yes-or-no self-assessment questions that are difficult to review quickly or analyze for inconsistencies, Remsik said.
As a result, service providers with similar information risk profiles but small differences in transaction volumes are subject to very different compliance requirements, he said.
"Security is not something that can be assessed in 20 to 30 minutes with a self-assessment questionnaire. My view is that it would be very difficult to determine whether a merchant is telling the truth or not" without additional controls, Remsik said.
An even bigger issue is the fact that acquiring banks can do little to monitor compliance with PCI requirements, said Avivah Litan an analyst at Gartner Inc. in Stamford Conn.
"There are some really good security principles in PCI. The problem is that acquiring banks are in way over their heads when it comes to implementation," Litan said. They are not equipped to monitor compliance and are likely to have little understanding of PCI's requirements or mitigating controls, she said.
In a May online survey of about 3,500, small, midsize and large companies by Stamford, Conn.-based database security vendor Protegrity Inc., more
- Improving IT Efficiencies: Four Advantages of Multi-Tenant Data Centers Increasing demands on IT are forcing organizations to rethink their data center options. For many organizations, that means turning to the flexibility afforded...
- Accelerating Cloud Deployment and Operations with Managed Services Companies that do not have sufficient in-house expertise to either deploy or maintain an IaaS cloud should turn to Managed Service Providers .
- Rethinking IT Operations in the Cloud This paper breaks down the challenges that often prevent the cloud from delivering the fast, flexible and affordable infrastructure companies seek - and...
- Gartner Magic Quadrant for Cloud-Enabled Managed Hosting, North America Cloud-enabled managed hosting brings cloudlike consumption and provisioning attributes to the traditional managed hosting market
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!