PCI aims for inclusiveness
23rd April 2007
The PCI Security Standards Council is throwing open the doors to its hundreds of participating companies, asking for feedback on how its credit card security standards should evolve.
The organization's recently appointed general manager, Bob Russo, said in an interview that PCI does not want to be seen as a draconian group setting standards and fining those that disobey.
PCI SSC is steered by the big five credit card companies - Mastercard, Visa, Discover, American Express and JCB - but it has over 200 participating organizations.
Russo said that the group will hold a community meeting around September this year. Before then, all these organizations will get a chance to provide feedback on the PCI standards.
Two criticisms or frustrations that have been expressed have been that the PCI standards are hard to implement, and that they're a moving target, according to Russo.
"They're not hard to comply with," he said. "But they are a moving target. If they were not, what good would they be? The threats evolve over time."
The PCI Data Security Standard is a 12-point document that, for example, mandates the obfuscation of credit card numbers, the deployment of firewalls and antivirus, and the use of access control.
On the roadmap is the possibility of integrating Visa's Payment Applications Best Practices, a set of guidelines on how payment-processing software should be securely coded, with the DSS standard. PCI is in the process of acquiring rights to Visa's intellectual property on PABP.
PCI is also taking another standard, called PED for PIN Entry Devices, under its wing. As the name suggests, the guidelines cover hardware used to enter secret numbers, and mandate, among other things, that the numbers should not be stored on the devices.
The DSS standards are enforced under individual contracts between merchants and the PCI's member card companies. Merchants need to hire assessors (not as stringent as "auditors", according to Russo) to check whether they are compliant.
The recent data heist at TJX, a major international retailer, brought the importance of credit card data security onto the front pages again. TJX lost 45.7 million credit card numbers and stands to lose millions of dollars in fines and lawsuit settlements.
Malicious hackers were able to infiltrate TJX's payment systems and lurk, stealing data, for well over a year. The card transaction data was sent over the wire in the clear, making it easy to tap. Keys for encrypted data were also accessible to the culprits.
To Russo, this just shows the need for PCI compliance. "If they had been compliant, then this would not have happened," he said. He noted that TJX was also storing "back of the card" data, used in "card not present" purchases, when it really didn't need to.
The hack has cost TJX $5m in forensic auditing services so far, but many estimates put the final cost of the breach much higher, possibly over a billion dollars.
Russo thinks it will be much higher too, when fines from credit card companies and the cost of defending and/or settling class action lawsuits are tallied in.