For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Subscribe to
Computerworld 40 years of the most authoritative source of news and information for IT leaders.
Merchants Face Deadline for Data Safety
or
Other Security Stories
|
|
|
|
April 25, 2005 (Computerworld) -- Companies that manage credit card information have just over a month to comply with new data-protection requirements being pushed by MasterCard International Inc. and Visa U.S.A. Inc. amid growing concerns about identity theft and fraud.
The Payment Card Industry Data Security Standard, or PCI, lists 12 items that retailers, online merchants, data processors and other businesses that handle credit card data will have to start meeting by June 1. The standard sets technology requirements such as the use of data encryption, end-user access control, and activity monitoring and logging. It also includes procedural mandates such as the need to implement formal security policies and vulnerability management programs.
The standard also requires companies to validate their compliance via a PCI-certified assessor either annually or quarterly, depending on their transaction levels. Banks that issue credit cards will be responsible for ensuring that companies comply with PCI and could face up to $500,000 in fines per incident if data is compromised.
The PCI standard aligns and builds on the separate security requirements that both MasterCard and Visa had prior to December 2004, said John Verdeschi, MasterCard's vice president of e-business and emerging technologies. It's designed to offer a common approach for protecting credit card data across both brands, he said.
Other card companies, including American Express Co. and Diners Club International Ltd., have also endorsed the PCI standard, he added.
Complex Requirements
"The good part about the program is that it provides good guidelines and standards of conduct," said Todd Mazurek, vice president of strategic planning at Tickets.com Inc., a Costa Mesa, Calif.-based provider of ticketing services for live events.
But complying with some of the PCI provisions could be difficult for midsize and small merchants, Mazurek warned. One example is the requirement that merchants record and keep track of all activity involving access to information about cardholders.
"That's a lot of information that you need to track," Mazurek said. "Doing that in a manner that doesn't impact your responsiveness is somewhat tricky."
OshKosh B'Gosh Co. is working with the vendor of its point-of-sale software to bring approximately 600 POS systems in 170 stores into compliance with PCI, said Jon Dell'Antonia, CIO at the Oshkosh, Wis.-based clothing retailer.
"It really involves what data you capture and forward when you scan a credit card in stores," Dell'Antonia said. The company is also evaluating what other changes it needs to make to comply fully with the standard, he added.
Jelly Belly Candy Co. is doing a similar evaluation of its Web site operations to see what compliance-related issues it might need to address, said Gary Praegitzer, a security specialist at the Fairfield, Calif.-based candy maker.
"It's a good thing to have a list of things to check off to see if we are following guidelines," Praegitzer said. He added that Jelly Belly is using Qualys Inc., its vulnerability assessment service provider, to scan and audit the site. Redwood Shores, Calif.-based Qualys offers a MasterCard-certified testing process that features self-service compliance assessment and reporting.
The PCI requirements reflect an effort to staunch the growing costs associated with credit card fraud and security-related card replacements, said Michael Dahn, a senior adviser at Ambiron LLC, a Chicago-based provider of security services for the payment processing industry.
For example, companies will need to encrypt or otherwise mask credit card information that may be stored on POS systems, Dahn said. Currently, many retailers store credit card information on such systems for periods of up to a month for backup or settlement reasons, he noted.
Under PCI, it would be an "egregious violation," subject to steep fines, for companies to store unencrypted credit card data on POS systems, Dahn said.
The Digital Dozen
VISA AND MASTERCARD'S NEW DATA-PROTECTION RULES
BUILD AND MAINTAIN A SECURE NETWORK
Install and maintain a firewall configuration to protect data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
PROTECT CARDHOLDER DATA
Safeguard stored data.
Encrypt transmission of cardholder data and sensitive information across public networks.
MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM
Use and regularly update antivirus software.
Develop and maintain secure systems and applications.
IMPLEMENT STRONG ACCESS-CONTROL MEASURES
Restrict access to data by business need to know.
Assign a unique ID to each person with computer access.
Restrict physical access to data about cardholders.
REGULARLY MONITOR AND TEST NETWORK SECURITY
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
INFORM EMPLOYEES ABOUT SECURITY POLICIES
Maintain a policy that addresses information security.
Source: Visa U.S.A. Inc.
|
Print this Story |
|
Send Us Feedback |
|
E-mail this Story |
|
Digg this Story |
|
Slashdot this Story |
|
|
|
|
|
 |
|
All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone |
 See your link here
|
 |
||||||||
| ||||||||
| ||||||||
| ||||||||
|
Why SaaS is Vital to Email and Web Security
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
Get this white paper now!
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
- Google gives away home-cooked Web application security scanner
- HP eyes move of support facilities out of Colorado Springs
- Microsoft trumpets security additions in upcoming IE8
- More top stories
Security Management ZoneSecurity management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones
|
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.New baits 
|
"Security Directions" virtual trade show2008's Code-Red Security Issues for Protecting the EnterpriseWebcasts, white papers, demos, and more. Presented in a unique 3-d environment. Enter our show right now! Click here to enter
|
 In SecurityStripping away the trappings of applications, systems and networks, information is the core asset of most organizations. Our columnist describes how asserting the importance of information governance is crucial to making that asset tangible, addressable and protected. Click here to read the latest column by Jon Espenschied |
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDG Connect
IDG World Expo
Infoworld
The Industry Standard
ITworld
JavaWorld
LinuxWorld
MacUser
Macworld
Network World
PC World
Playlist
Copyright © 2008 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission of Computerworld Inc. is prohibited.
Computerworld and Computerworld.com and the respective logos are
trademarks of International Data Group Inc.
|
