[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Experts fret over credit card compliance


By John Leyden
27th September 2007

Efforts by the credit card industry to boost merchant security are 
likely to flounder unless tighter regulations are accompanied by 
punishments against transgressors.

The Payment Card Industry Data Security Standard (PCI DSS) methodology 
aims to improve the security of cardholder data among banks, service 
providers and the merchant community. The standard is more prescriptive 
and detailed than earlier regulatory regimes (such as Sarbannes-Oxley) 
but still leaves plenty of room for interpretation.

Merchants and service providers need to validate compliance against an 
audit by a qualified assessor.

But there are major holes in the process of becoming compliant, and even 
greater challenges in staying compliant as networks are evolving, 
according to panelists discussing the issue at the NetEvents technology 
summit in Malta on Thursday. Hundreds of qualified assessors are 
attempting to audit hundreds of thousands of merchants, creating a 
potential gap in the system.

Neil Hartsell, VP of product marketing at TippingPoint, said that 
although the high profile credit card security beach at TJX has stolen 
the headlines problems at small merchants also present a severe risk. 
For example the link between a card swiping device and a PC in a small 
store is often unencrypted, even though the date is encrypted after it 
leaves the computer. A keystroke logger planted on such machines 
therefore presents a sever security risk.

"The problem is that small shops don't know PCI DSS exists and, if they 
do, they don't take the process seriously enough... SMEs are not able to 
make these kinds of decisions which ought to be the responsibility of 

Michael Bacon, head of information security at Xchanging, said small 
merchants using self-assessment will be tempted to just tick boxes 
saying they had set up a firewall or secured their network. Part of the 
problem is that assessors act more like consultants than health 
inspectors. "At the end of the day nothing will happen unless you take 
away their accreditation," Bacon said.

Bacon criticised SOX compliance as a "wasted effort" from a security 
perspective because it failed to outline tactics for achieving strategic 
directions. PCI DSS is better because it outlines best practice, such as 
using a firewall and a secure wireless LAN, but doesn't go far enough, 
according to Bacon. "It's all very well saying users need to run a class 
of product but products need to be certified. There's no one agency to 
certify security products," he added.

Bob Walder, chief scientist of NSS Labs, said that many merchants wonder 
why they should invest in PCI DSS compliance when it does little to help 
them sell more products.

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com