Despite Target data breach, PCI security standard remains solid, chief says
Russo said the PCI Security Council is open to making changes to the standards if they are identified as necessary. For instance, the council is reviewing its recommendations around data encryption, he said.
Currently, the PCI standard only requires encryption for data at rest, but not while the data is in transit along the transaction chain. The council recommends that retailers and others in the payment industry adopt a more comprehensive point-to-point encryption approach, although it is not a requirement.
According to Russo, point-to-point encryption is one of the issues the council will look at in the coming months. The council is also looking at approaches like tokenization for protecting cardholder data, he said. With tokenization, card data is substituted with a random string of numbers so even if the data is compromised, it holds no value for data thieves.
Broad adoption of the Europay MasterCard Visa (EMV) smartcard standard could also enhance debit and credit card security, Russo said.
The recent breaches have fueled fresh calls for adoption of the standard in the U.S., which remains the only major country in the world not to have moved to it already. Visa and MasterCard have both said they will move over to EMV by the end of next year.
But as with every other aspect of payment card security, the EMV standard is just one piece, Russo said. Though EMV is widely touted as being better than magnetic card technology, it would not have prevented the Target data compromise, he said. It would have only limited, but not stopped, how the stolen cards could be used, he said.
One area where the council has received feedback from stakeholders is on the consistency of the PCI compliance assessment process, Russo said. In response, the council enhanced testing to ensure that assessments are done in a more consistent and standardized manner.
"Additionally, throughout the standards, we've built in more education around the intent of the requirements so that those implementing the standards in their organization have more information regarding the goal of the controls and how they need to be implemented," he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
- Amazon.com security slip allowed unlimited password guesses on mobile apps
- Huge turnout at RSA shows hackers are winning
- 360 million account credentials found in the wild, says security firm
Read more about Data Security in Computerworld's Data Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Top tips for securing big data environments - Why big data doesn't have to mean big security challenges Organizations don't have to feel overwhelmed when it comes to securing big data environments. The same security fundamentals for securing databases, data warehouses...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- Three guiding principles for data security and compliance Data security is a moving target-as data grows, more sophisticated threats emerge; the number of regulations increase; and changing economic times make it...
- Mitigate the OWASP Top 10 Web Application Security Risks This technical brief analyzes each of the ten risks and outlines how you can protect your organization from threats targeting your high-value applications...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- How SIEM Addresses the Challenges of Big Security Data This webcast will help you understand today's big data security challenges and how intelligent and scalable SIEM solutions give IT the tools and... All Data Security White Papers | Webcasts