Payment card security compliance a moving target with additional requirements on the horizon

With deadlines looming this year for the biggest credit-card merchants and service providers to prove compliance with the Payment Card Industry Data Security Standard (PCI DSS), businesses are under the gun, sometimes spending hundreds of thousands of dollars to accomplish that goal. But PCI compliance is a moving target, and more standards for next year are in sight.

The PCI Security Standards Council last year issued a set of 12 security requirements, PCI DSS 1.1 (known by insiders as the "digital dozen"), for protecting card data.The requirements include encryption of cardholder data as well as more general enterprise requirements to use antivirus software, application-layer firewalls, and conducting periodic vulnerability assessments. Some businesses face deadlines of this month or year-end to comply or face fines or higher rates levied by Visa, MasterCard and the banks that are pushing the standard as the industry’s answer to protecting against card fraud.

But even as businesses struggle to make their networks and business processes available for inspection by any of the 70 or so “qualified security assessors” (QSAs) trained under the council’s program for evaluating PCI compliance, the prospect of additional security requirements is coming into view for next year.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

With deadlines looming this year for the biggest credit-card merchants and service providers to prove compliance with the Payment Card Industry Data Security Standard (PCI DSS), businesses are under the gun, sometimes spending hundreds of thousands of dollars to accomplish that goal. But PCI compliance is a moving target, and more standards for next year are in sight.

The PCI Security Standards Council last year issued a set of 12 security requirements, PCI DSS 1.1 (known by insiders as the "digital dozen"), for protecting card data.The requirements include encryption of cardholder data as well as more general enterprise requirements to use antivirus software, application-layer firewalls, and conducting periodic vulnerability assessments. Some businesses face deadlines of this month or year-end to comply or face fines or higher rates levied by Visa, MasterCard and the banks that are pushing the standard as the industry’s answer to protecting against card fraud.

But even as businesses struggle to make their networks and business processes available for inspection by any of the 70 or so “qualified security assessors” (QSAs) trained under the council’s program for evaluating PCI compliance, the prospect of additional security requirements is coming into view for next year.

At the PCI Security Standards Council 2007 Community Meeting held this week in Toronto -- the first meeting of its kind to bring the council’s membership and certified PCI security providers together -- the 300 or so attendees there are getting a sneak peek of the new set of “best practices” guidelines for application security that the council intends to publish by year end.

“These will be guidelines for designing applications in a secure manner,” says one attendee, Joe Lindstrom, senior director for professional services at Symantec. The security software vendor is a QSA accredited by the PCI Security Standards Council to perform on-site evaluations of businesses handling card-payment data to determine if sensitive information is being appropriately processed or stored as define by PCI DSS 1.1 standard.