[Dataloss] Credit card security rules to get update

Mon May 15 22:51:51 EDT 2006

Credit card security rules to get update

By Joris Evers
http://news.com.com/Credit+card+security+rules+to+get+update/2100-1029_3-607
2594.html

Story last modified Mon May 15 18:45:15 PDT 2006

SAN FRANCISCO--Proposed new security rules for credit card-accepting
businesses will put more scrutiny on software, but let them off the hook on
encryption.

The update to the Payment Card Industry (PCI) Data Security Standard, due
this summer, responds to evolving attacks as well as to challenges some
businesses have with the encryption of consumer data, Tom Maxwell, director
of e-Business and Emerging Technologies at MasterCard International, said
here Monday.

The proposed update includes a requirement to, by mid-2008, scan payment
software for vulnerabilities, Maxwell said in a presentation at a security
conference hosted by vulnerability management specialist Qualys. Currently,
merchants are required to validate only that there are no security holes in
their network. "There is an increase in application level attacks," Maxwell
said.

While security stands to benefit from a broader vulnerability scan, another
proposed change to the security rules may hurt security of consumer data,
critics said. The new version of PCI will offer merchants more alternatives
to encryption as a way to secure consumer data.

"Today, the requirement is to make all information unreadable wherever it is
stored," Maxwell said. But this encryption requirement is causing so much
trouble for merchants that credit card companies are having trouble dealing
with requests for alternative measures, he said.

In response, changes to PCI will let companies replace encryption with other
types of security technology, such as additional firewalls and access
controls, Maxwell said. "There will be more acceptable compensating and
mitigating controls," he said.

While PCI is good in principal, relaxing encryption requirements is not,
said Paul Simmonds, a representative of the Jericho Forum, a group of
companies that promote open security technologies. "It basically means that
if you hack the system, you get the data," he said. "I can't think of a good
alternative for encryption."

The challenge with encryption is that older payment systems were not built
to support the scrambling technology, said Qualys CEO Philippe Courtot.
"Encryption is the ultimate measure of security, but the current
applications have not been designed with encryption in mind," Courtot said

The PCI security standard was developed by MasterCard and Visa and went into
effect last year. It aims to reduce the risk of an attack by mandating the
proper use of firewalls, message encryption, computer access controls and
antivirus software. It also requires frequent security audits and network
monitoring, and forbids the use of default passwords. Retailers that don't
comply may face penalties, including fines.