- 10 Microsoft research projects
- 10 kitchen gadgets for the geek gourmet
- Verizon trounces competition
- Smartphone smackdown: Storm vs. iPhone
- FBI warns of holiday cyber scams
Payment-card security rules that keep customer credit and debit card information from falling into the wrong hands are becoming a contentious issue as debate over anticipated Payment Card Industry (PCI) standards and their impact heats up.
In addition to the dozen rules for network security that comprise today’s PCI Data Security Standard 1.1, the PCI Security Standards Council-- which represents Visa, MasterCard, American Express and Discover — anticipates expanding requirements next year that could relate to wireless use as well as Web-application security.
The Council’s general manager Bob Russo this week said the organization is devising new standards for how to design and evaluate any Web-facing business applications for credit-card processing as well as security rules for wireless.
But a final decision is still pending, he said, since there’s growing resistance to new requirements for payment-card holders, many of whom aren’t yet achieving official compliance with the existing PCI standards yet. He noted the Council doesn’t enforce PCI compliance, which is the job for the card associations with the banks.
The big concern now is that card-processing applications can be hacked and “we’re looking into the best way to handle the application security,” said Russo, adding he anticipates a decision on this in about a month. A decision to go forward may mean applications used to process credit cards would have to be evaluated and approved by a listed of certified evaluators.
One change to the PCI security rules that’s certain is the release before year-end of a new “Self-assessment Questionnaire” for PCI that merchants handling payment-card data will be expected to fill out when requested by their banks as part of the PCI compliance process.
“Today, it’s a one-size fits all but going forward we’ll have four different versions based on the merchant’s business,” said Russo. “For instance, if they’re small and just doing dial-up, there’s no need for them to answer 200 questions, we’ll just have 30 or 40 questions.”
The PCI Security Standards Council also intends to establish new PIN Entry Device (PED) requirements for equipment in an effort to combine the various equipment-security programs administered separately today by card associations MasterCard International, Visa International and JCB. Russo said by year-end, the Council’s Web site will likely detail a list of approved PED equipment.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment