CardSystems breach renews focus on data security

A new data protection standard goes into effect next week

The massive scope of the security breach at CardSystems Solutions Inc. is sure to result in an increased focus on upcoming data-protection requirements being pushed by MasterCard International Inc. and Visa U.S.A. Inc., analysts said today.

The standard is called the Payment Card Industry Data Security Standard, or PCI, and it goes into effect on June 30.

It lists 12 items that all retailers, online merchants, data processors and other businesses that handle credit card data will have to meet, and it sets technology mandates, including requirements that data encryption, end-user access control and activity monitoring and logging systems be used. PCI also includes procedural mandates, such as one requiring the implementation of formal security policies and vulnerability management programs.

Late Friday, MasterCard announced that a hacker was able to access as many as 40 million credit card numbers by infiltrating CardSystems Solutions' network (see Security breach may have exposed 40M credit cards). The Tucson, Ariz.-based company processes payment data for MasterCard and other companies. MasterCard said it had notified banks that issue its credit cards about the breach. Those banks will be responsible for notifying customers..

The size of the breach is bound to result in a tougher enforcement of the new rules, said Michael Petitti, a senior vice president at Ambiron Trustwave, a Chicago-based provider of security services for the credit card industry. "The PCI standard is germane to every entity that handles cardholder information, regardless of where they are in the value chain," Petitti said.

Achieving and maintaining compliance with the rules -- which are already in effect for large companies -- will become an absolute must, Petitti said.

"The card associations are very serious about this and have been very good about communicating their requirements," he said. "You are sure to see more attention because of incidents like these."

"This is likely to be a seminal event," said Ted Julian, vice president of product management at Application Security Inc. in New York. "With PCI, I think we will see an emphasis that goes beyond fines," he said. "Over time, we will start to see credit card associations get more tough about how they implement these things."

Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn., said the high publicity given to recent data breaches has been spurred in part by California's disclosure law. That law mandates the reporting of data breaches so customers can better protect and defend themselves against their personal information being stolen.

"I think the thing that's going on is the credit card industry has been asleep at the wheel here and is not enforcing their own standards," Litan said. PCI includes strong requirements for network intrusion detection, regularly scheduled testing, file integrity monitoring systems and more, she said.

Dan Keldsen, a security analyst at Delphi Group in Boston, said the latest incident could finally force a shift in corporate attitudes and bring about real changes in data security methods.

"There's an awful lot of pantless corporations out there" after a recent string of data breach incidents involving Bank of America Corp., ChoicePoint Inc., the University of California at Berkeley and others, Keldsen said. "I guess it's going to get worse before it gets better, because there's really no hiding it anymore."

Copyright © 2005 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon