Computerworld
Print Article
Close Window

Credit card data security standard goes into effect

But there are concerns about its implementation

Jaikumar Vijayan
 

June 30, 2005 (Computerworld)

The Payment Card Industry (PCI) data security standard being pushed by MasterCard International Inc. and Visa U.S.A. Inc. went into effect today for all merchants handling credit card data, but concerns remain about its implementation and compliance validation.
Under PCI, all companies that accept credit cards are required to comply with 12 security-related requirements that call for, among other things, encrypted transmission of cardholder data, periodic network scans, logical and physical access controls, activity monitoring and logging.
PCI also includes procedural mandates. For example, it requires companies to implement formal security policies and vulnerability management programs. The standard unifies two previously separate sets of requirements -- Visa's Cardholder Information Security Program and MasterCard's Site Data Protection program.
Acquiring banks, which grant merchants the approval they need to accept credit cards, are responsible for ensuring that merchants are compliant with PCI, and they could face up to $500,000 in fines per incident if data is compromised.
While the PCI standard incorporates sound security practices, there are several issues that still need to be addressed, analysts said,
One big shortcoming is that for a majority of the companies, compliance validation is based on self-assessments rather than third-party audits, said Ivan Remsik, an analyst at Cambridge, Mass.-based Forrester Research Inc. Only the largest merchants -- those processing over 6 million MasterCard or Visa transactions a year -- are required to submit to formal PCI compliance audits involving formally trained security specialists, Remsik said.
All others just have to answer 75 yes-or-no self-assessment questions that are difficult to review quickly or analyze for inconsistencies, Remsik said.
As a result, service providers with similar information risk profiles but small differences in transaction volumes are subject to very different compliance requirements, he said.
"Security is not something that can be assessed in 20 to 30 minutes with a self-assessment questionnaire. My view is that it would be very difficult to determine whether a merchant is telling the truth or not" without additional controls, Remsik said.
An even bigger issue is the fact that acquiring banks can do little to monitor compliance with PCI requirements, said Avivah Litan an analyst at Gartner Inc. in Stamford Conn.
"There are some really good security principles in PCI. The problem is that acquiring banks are in way over their heads when it comes to implementation," Litan said. They are not equipped to monitor compliance and are likely to have little understanding of PCI's requirements or mitigating controls, she said.
In a May online survey of about 3,500, small, midsize and large companies by Stamford, Conn.-based database security vendor Protegrity Inc., more than half of the 150 respondents said that they didn't fully understand PCI requirements and would fail an audit.
The credit card associations themselves have been vague on several aspects, Litan said. For instance, PCI provides for mitigating controls in case a company can't meet encryption requirements or upgrade to certain technologies. But the details on how to implement those controls are not easily available, she said. Similarly, there is no clear understanding of how and when penalties will be assessed.
"There are so many questions that our clients want answered, but there's no one to answer them," she said. "You just can't plunk down a security standard and simply walk away."
There are other ambiguities. For instance, a merchant that processes 2 million MasterCard transactions and 3 million Visa transactions annually may have the same compliance requirements as a much smaller company because of the way merchants have been classified under PCI, said Michael Petitti, a senior vice president at Ambiron Trustwave, a Chicago-based provider of security services for the credit card industry.
"PCI is a very good foundation for data security for any environment. It's been a very good effort up to this point. It's what happens from today that's important," he said.
MasterCard and Visa did not respond to requests for comment.