A revamping of security standards is being prepared by the major payment card issuers and is expected to be announced within the next 60 days.
“[MasterCard, along] with other payment brands including American Express, Discover, JCB and Visa, are currently considering potential recommended updates to the PCI Data Security Standard based on feedback provided by industry stakeholders,” MasterCard Global Technology Communications Vice President Christina Rae told the E-Commerce Times.
The PCI (Payment Card Industry) standard was adopted by the card issuers about a year ago to set guidelines for the secure handling of credit card information by merchants and service providers.
“A date for release of a revised standard has not yet been determined,” Rae said. “However, there are no plans to make any of the PCI Data Security Standard requirements less robust.”
There have been discussions among standards setters about reducing the strength of encryption recommended in the existing guidelines, according to Chris Farrow, director of the policy and compliance division for Configuresoft in Colorado Springs, Colo.
“That’s a huge issue for personal information,” he told the E-Commerce Times.
Although watering down encryption standards may not be a good idea from a security standpoint, it may have compliance benefits. Weaker encryption may be easier to handle for small- and medium-sized businesses, Farrow noted.
If the card issuers can get more businesses to adopt the standards, then compliance — which, according to Aaron Biddar, president of Control Scan in Atlanta, has been, at best, tepid — may improve.
The latest compliance numbers from MasterCard for all levels of merchants was about 40 percent, Biddar said, adding that those figures are “probably a stretch.”
Compliance Without Compromise
Application of the existing standards is based on merchant levels. There are four merchant levels ranging from the very large — level one merchants process more than six million transactions annually — to the very small — level four merchants process fewer than 20,000 transactions a year.
“PCI compliance is not a government mandate,” Biddar explained. “It’s a private mandate. One of the problems you have is that people are slow to adopt it, but they’re starting to feel pressure from the banks.”
“Any future enhancements to the [PCI] standard are intended to foster broad compliance without compromising the underlying security requirement of the current standard,” MasterCard’s Rae noted.
More Teeth Than SOX
If the payment card providers want to encourage compliance, Farrow said they should add some incentives to the standards.
If a company suffers a security breach and it isn’t complying with security standards, Farrow said, it can be hit with big dollar fines and loss of its authorization to process credit card payments.
“PCI has more teeth behind it than something like a Sarbanes-Oxley or HIPPA because no one is going to go without their ability to accept credit cards as payment,” Farrow contended.
More Carrot, Less Stick
Still, better ways need to be pursued to persuade people to comply with the standards, Farrow argued.
“Right now, it’s a stick mentality,” he maintained. “You will comply or we’ll hit you with a big stick.
“What they need to do is start thinking more like insurance companies,” he suggested.
Automotive insurance companies, for example, offer rewards for good behavior, Farrow said. Similar rewards could be issued to merchants for complying with the standards.
Keeping Pace With Poachers
The changes in the standards are expected to address some issues that have developed since the guidelines were adopted — issues such as phishing, pharming and spyware, said Farrow.
“The initial round of PCI tests were developed two or three years ago, and in those two or three years, things such as SQL injection have come out and are not being tested for by a lot of companies,” observed Control Scan’s Biddar.
The new rules are also expected to extend their breadth in the application level threat assessment area.
“Some application scanning is done now, but it’s not done on custom applications,” Amer Deeba, vice president for strategic development for Qualys in Redwood Shores, Calif., told the E-Commerce Times.
Those kinds of changes could increase the cost to businesses for compliance, he reasoned.
“Right now, you can do almost everything in an automated way,” Deeba said. “Once you go to the level of custom application scanning, it might require consultants to do the work and new tools to address the problems.”