Payment card security compliance a moving target with additional requirements on the horizon

By Ellen Messmer , NetworkWorld.com , 09/18/2007

Share/Email
Tweet This
Comment
Print

With deadlines looming this year for the biggest credit-card merchants and service providers to prove compliance with the Payment Card Industry Data Security Standard (PCI DSS), businesses are under the gun, sometimes spending hundreds of thousands of dollars to accomplish that goal. But PCI compliance is a moving target, and more standards for next year are in sight.

The PCI Security Standards Council last year issued a set of 12 security requirements, PCI DSS 1.1 (known by insiders as the "digital dozen"), for protecting card data.The requirements include encryption of cardholder data as well as more general enterprise requirements to use antivirus software, application-layer firewalls, and conducting periodic vulnerability assessments. Some businesses face deadlines of this month or year-end to comply or face fines or higher rates levied by Visa, MasterCard and the banks that are pushing the standard as the industry’s answer to protecting against card fraud.

Tape Fallacies Exposed: Download now

But even as businesses struggle to make their networks and business processes available for inspection by any of the 70 or so “qualified security assessors” (QSAs) trained under the council’s program for evaluating PCI compliance, the prospect of additional security requirements is coming into view for next year.

The digital dozen of credit card compliance
Merchants must employ the following to complying with the Payment Card Industry (PCI) Data Security Standard:

Related Content

1. Install and maintain a firewall configuration to protect cardholder data.

2. Forbid the use of vendor-supplied defaults for system passwords and other security parameters.

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.

5. Use and regularly update antivirus software.6. Develop and maintain secure systems and applications.

6. Develop and maintain secure systems and applications.

7. Restrict access to cardholder data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

10. Track and monitor all access to network resources and cardholder data.

11. Regularly tests systems and processes.

12. Maintain a policy that addresses information security.

Click to see: The digital dozen of credit card compliance

At the PCI Security Standards Council 2007 Community Meeting held this week in Toronto -- the first meeting of its kind to bring the council’s membership and certified PCI security providers together -- the 300 or so attendees there are getting a sneak peek of the new set of “best practices” guidelines for application security that the council intends to publish by year end.

“These will be guidelines for designing applications in a secure manner,” says one attendee, Joe Lindstrom, senior director for professional services at Symantec. The security software vendor is a QSA accredited by the PCI Security Standards Council to perform on-site evaluations of businesses handling card-payment data to determine if sensitive information is being appropriately processed or stored as define by PCI DSS 1.1 standard.

Share/Email
Tweet This
Comment
Print

Comments (2)

RE: Payment card security compliance a moving target with additional requirements on the horizonBy Anonymous on September 21, 2007, 11:08 amI noticed your change to defining acronyms at first use. This makes reading your articles much more pleaasant. thank you!

Reply | Read entire comment

RE: Payment card security compliance a moving target with additiBy Brian McCarthy on February 23, 2008, 10:58 amHome Run! This article is the real thing. Last year we completed 50 installations for some of Florida largest retailers requiring PCI compliance. Sencilo can...

Reply | Read entire comment

View all comments