Heartland Payment Systems will pay American Express US$3.6 million to settle charges relating to the 2008 hacking of its payment system network.
This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year.
Onsite PCI assessments are not cheap. First make certain that you have to comply with the onsite assessment requirement.
Although all of the major card brands are partners in PCI-DSS the number of transactions are counted by individual card brand.
For example, a merchant that processes 2 million credit card transactions will not necessarily be a Level 2 retailer. What matters for purposes of this requirement is the number of MasterCard transactions. You may have 800,000 MasterCard transactions, 600,000 Visa transactions, and 600,000 transactions with American Express.
Payment card industry compliance is confusing for many ecommerce merchants. But it potentially affects every merchant that accepts credit cards payments. Failure to understand the PCI compliance standards could result in higher merchant account fees and fines from the credit card issuers.
Merchants oftentimes have similar general questions on PCI compliance. We posed some of them to Tim Erlin, principal product manager for nCircle, a security consulting and compliance firm that offers PCI-related services, among other compliance services. Those questions, and his answers, are below.
What is PCI?
Erlin: “PCI generally refers to the Payment Card Industry Data Security Standard, or the PCI DSS. This standard was developed by the PCI Security Standards Council, which is a consortium of the major credit card brands (Visa, Mastercard, American Express, and Discover). It represents the combination of two previous separate programs: the Visa Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection program (SDP). The goal of the PCI DSS is to specify a common standard for protecting cardholder data from compromise.”
How does PCI compliance affect my ecommerce business?
Erlin: “If you accept credit cards as a form of payment, you are required to be compliant with the PCI DSS. In most cases, smaller merchants can achieve compliance by using compliant shopping carts and payment gateway services. If, however, you choose to collect and store credit card data as part of your business, you’ll need to carefully consider the requirements of the PCI DSS.”
“Larger volume merchants (more than 20,000 credit card transactions annually) will need to complete some specific validation requirements to demonstrate compliance with the PCI DSS. The requirements range from filling out a self-assessment questionnaire to an onsite audit from a qualified auditor. You can find out more details about merchant levels here.”
Where can I learn more about PCI?
Erlin: “The PCI Security Standards Council is the authoritative source for information. You can find their website at http://www.pcisecuritystandards.org. You can also look to the card brands themselves for additional information.”
My annual sales are very small. Do I still have to comply with PCI?
Erlin: “Every merchant that accepts credit cards must comply with PCI, but smaller merchants often achieve compliance by using compliant services. If you don’t store, transmit or process any credit card data, then your systems are out of scope for PCI DSS compliance.”
How do I know if my ecommerce business is PCI compliant?
Erlin: “Do you store, transmit or process credit card data? If the answer is yes, then you are required to fill out a self-assessment questionnaire to demonstrate PCI compliance. You may be required to perform other work to demonstrate compliance depending on your merchant level.”
“If you do not store, transmit or process credit card data, but do accept credit cards through a payment gateway or merchant account provider, then you should validate whether your providers are PCI compliant.”
What happens if my business is not PCI compliant?
Erlin: “If your business is not PCI compliant there are various measures that the card brands can take, ranging from warnings and monetary fines to revoking your ability to process transactions entirely. More importantly, the PCI DSS allows you to assure your customers that you’re protecting their credit card data appropriately.”
If my business is PCI compliant, does it reduce my insurance liability?
Erlin: “Generally, no. If you’re not compliant and experience a breach, however, you can be open to legal action from the affected customers.”
Will PCI compliance reduce my business’s merchant account fees?
Erlin: “This isn’t generally the case. In fact, it can increase the cost. Merchant account providers have to demonstrate their own PCI compliance, and they can and have passed that cost onto their customers.”
Where can I find a list of shopping carts and hosts that are PCI compliant?
Erlin: “Unfortunately, there is no single list of compliant shopping carts, hosts or other providers. However, because PCI compliance is a basic requirement for accepting credit card payments, all of the most common hosted shopping carts are PCI compliant. Choose the shopping cart that has the features and functions you need, then validate that their service is PCI compliant.”
It’s a gross oversimplification of an utterly staggering technical and social challenge, and he knows it as well as anyone, but it’s hard to argue with PCI Security Standards Council General Manager Bob Russo’s assertion that when it comes to improving electronic data security and related matters of individual privacy, “something is much better than nothing.”
Since the massive, potentially record-breaking security breach at Heartland Data Systems in late January, the Payment Card Industry Security Standards Council and its DSS Data Security Standard have been put under a microscope and criticized for foisting on companies an impractical IT security mandate that detractors say does not actually meet its goal of making it harder for companies that handle credit and debit card data to be fleeced similarly to Heartland.
Some highly respected security researchers and practitioners have come out since the Heartland robbery and questioned the viability of the entire DSS effort, perceived as being out of touch with real-world IT environments and insufficient to help organizations avoid exploitation. A handful have gone as far as saying it actually makes the process even harder.
And after all, here’s a Tier 1 company that’s likely had to push to abide by the technological and process-oriented stipulations required under the PCI Standard as much and as long as any other, and it just got positively hammered.
However, visiting Boston on a media tour organized to share some new elements of the PCI Council’s larger plans the week of Feb. 23, Russo and new PCI Security Standards Council Chairman Lib de Veyra — an executive at and appointee of JCB International Credit Card — made a lot of credible points. Mostly, because they firmly recognized the reality that no standard is perfect and that DSS as it exists is only a first step in a long evolutionary process.
Not to be misinterpreted, the PCI Council is satisfied with what it’s put in place thus far, given the challenge at hand, Russo and de Veyra said.
The parts of DSS that need to be tweaked to address the vast diversity of infrastructure and applications employed by all the retailers, merchants and processors, as well as all the techniques utilized by attackers, will be addressed by taking feedback directly from the very companies that must comply with the standard, the PCI Council representatives said. And truthfully that has been at the very least a consistent message of the organization all along.
A number of powerful banking, retail, technology and government players are also involved in the PCI Advisory Board.
And the Heartland incident, as well as those reported at other companies that have been at some time certified as PCI compliant, including TJX Companies and Hannaford Brothers, in no way proves that the standard is clearly lacking in some specific area, they said.
The PCI leaders said in addition to having not yet shared specific details with the Council of exactly how they were individually victimized by fraudsters, the fact that these companies were at one time judged to be in conformity with DSS in no way guarantees that they were at the time they were attacked.
“Just because a company gets a clean bill of health today doesn’t mean they can’t be infected tomorrow,” de Veyra said. “Organizations are making configuration changes and broadening adoption of technologies like wireless all the time; the guidelines in DSS are something that you have to continue to monitor and maintain all the time.”
And many of the Council’s initiatives, including plans to launch two new standards aimed at improving embedded security features, or “host security modules,” built into card data transaction processing hardware, and regulations for UPTs (unattended payment terminals) such as gas pumps and ticketing kiosks, will help push the entire industrywide process forward, they said.
The PCI Security Standards Council will also continue to push DSS overseas, in Europe and APAC specifically, where the guideline has faced some resistance from card handlers. But the effort launched by the world’s largest card companies — American Express, Discover, JCB, MasterCard and VISA – remains undaunted in its pursuit, PCI’s chief spokespeople said.
“Addressing the criticism comes down to communication; once we have enough information from companies like Heartland to truly examine what happened, we can understand how it relates to DSS,” de Veyra said. “And working with all the companies on our Advisory Board, meeting with them and incorporating their feedback over time, will be the most important aspect of maturing the standards.”
Another new element of DSS will be a technological tool, a sort of stripped-down PCI diagnostic application provided by the Council to offer organizations still getting started with the standard a more “prioritized approach to DSS.”
The Prioritized Approach tool will help companies track their ability to meet basic milestones of achieving compliance with DSS, the representatives said. The first three steps — preventing the improper storage of electronic data, securing the network perimeter and securing applications — have obviously been proven hard to accomplish for many organizations, and some might argue most or even all.
But most importantly, the idea is to promote gradual coalescence of a world where every company affected by the PCI mandate has at least greatly augmented and formalized its approach to, if not its execution of, securing electronic data, the leaders said.
“No standard is ever going to completely stop what we’re seeing right now with cyber-crime, but the reaction we’ve seen to PCI after some of these incidents like Heartland has been absolutely unfair, because we don’t even know if they were compliant,” Russo said.
In terms of whether incidents like the breaches at Heartland, TJX and Hannaford Brothers have damaged public perceptions of DSS, the industry veteran said, as in any case, there is no shortage of opinions.
“You can sit there and look at it from one side and say, you have this standard but these incidents have still happened, and that proves something isn’t working,” Russo said. “But what you don’t know at the same time is, If we didn’t have DSS as it stands in place, how many more of these incidents might we have had?”
I’m sure that there are valid criticisms of various aspects of PCI — some very smart people have spent time voicing their questions already.
But, I’m curious to know whether they’d agree at the end of the day that something is better than nothing.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
A new survey shows 44 percent of the wireless devices used by retailers are vulnerable to attacks by data thieves. And that’s the good news. A year ago, the same Motorola survey showed 85 percent of retailers were sitting targets for drive-by data attacks. New PCI standards phasing out Wireless Equivalent Protocol–the weakest form of encryption this side of no encryption at all–may hold the key to improved retailer wireless security.
The good news: A new survey shows retailers are beefing up their wireless security. The bad news: The same survey shows 44 percent of the wireless devices used by retailers are sitting targets for data thieves, suffering from weak encryption, data leakage, misconfigured access points and outdated access point firmware.
While that 44 percent number may seem shockingly high, Richard Rushing of Motorola’s Enterprise Mobility unit points to last year’s results that found 85 percent of retailers’ wireless devices were begging to be compromised.
“Retailers nationwide are improving wireless security, as quantified by the significant drop in vulnerable wireless devices that were discovered during this year’s monitoring efforts,” said Rushing, Motorola’s senior director of information security for mobile devices. “However, a significant majority of retailers are still susceptible to a network intrusion—a sign that wireless security remains an afterthought for many.”
The Motorola survey conducted by Rushing included a review of wireless data security at more than 4,000 stores in some of the world’s busiest shopping cities, including Atlanta; Boston; Chicago; Los Angeles; New York; San Francisco; London; Paris; Seoul, South Korea; and Sydney, Australia. While 68 percent of the sites were using some form of encryption for their laptops, mobile computers and bar-code scanners, 25 percent of those were still using outdated WEP (Wired Equivalent Protocol) deployments, the weakest protocol for wireless data encryption.
Click here for a glossary of wireless security terms.
Altogether, Motorola discovered almost 8,000 APs, with 22 percent of them misconfigured. Another 10 percent of the AP’s SSIDs (Service Set Identifiers) were poorly named, which makes it relatively easy for potential data thieves to zero in on the store’s identity. More than 32 percent of retailers had unencrypted data leakage, while 34 percent had encrypted data leakage.
“As wireless exploded over the last few years, retailers had a bunch of devices that connected to the [store’s] network,” Rushing said. “Then, you didn’t have people who knew both wireless and security. The security model is just coming into play the last two to three years.”
Rushing said one of the more overlooked security issues with large retailers is the cookie-cutter approach to wireless technology. By using the same technology, configuration, security and/or naming conventions at all retail locations, vulnerabilities repeat themselves across the entire store chain, rendering them susceptible to attacks.
“The bad guys had a huge head start,” Rushing said. “We’ve caught up with them, but we’re not necessarily ahead of them.”
Helping the retailers play catch-up are companies like Motorola and Aruba Networks. Both have recently introduced wireless enterprise security product lines that store, process, transmit and protect wireless data, including credit card information.
Also pushing the retailers to greater wireless security is the Payment Card Industry council, which issues requirements for security management, policies and procedures. With PCI members including VISA, American Express, Discover Financial Services and MasterCard Worldwide, the council leverages the standards to force retailers to improve their wireless security.
If a breach happens, retailers not deploying PCI security standards run the risk of losing the ability of processing customers’ credit and debit cards or incurring fines or restrictions on the use of customers’ cards. Both Motorola’s and Aruba’s enterprise wireless security systems are PCI-compliant.
Included in the PCI’s newest standards is a prohibition against new WEP deployments in the Cardholder Data Environment beyond March 31, 2009, and a requirement of the elimination of WEP from the CDE beyond June 30, 2010.
“Retailers are moving away from WEP more and more,” Rushing said. “Things are now moving in a different direction. It’s all becoming more mature. You have to deploy layered secured security.”
Still, 44 percent of retailers’ wireless devices are susceptible to unwelcome intrusions.
“If you’ve looked at wireless as long as I have, the shock goes away,” Rushing said. “It’s certainly better than it was, but, in my opinion, it’s a wonder there haven’t been more data thefts.”
IGT Awarded The First PCI DSS 1.2 Certification
Submitted by newsdesk on Mon, 12/22/2008 – 19:42
IGT, a pioneer and global leader in travel technologies and services received the coveted PCI DSS 1.2 certification from leading PCI DSS QSAC, ControlCase. IGT is the first Travel BPO Organization to become PCI DSS 1.2 compliant. It has successfully met the newest version of the Payment Card Industry Data Security Standard (PCI DSS) compliance requirements. ControlCase conducted a meticulous audit process of IGT’s security measures used in protecting e-commerce customers and their data involving travel transactions.
ControlCase awarded IGT with the PCI DSS 1.2 compliance rating after IGT met the 259 Requirements (grouped into 12 broad categories) that make up the control objectives. Data security continues to be a concern for customers making payments over the internet. IGT supports millions of travel transactions annually and enables consumers to make travel purchases in a highly secure manner both online and remotely. The PCI DSS 1.2 certification demonstrates IGT’s continued commitment to the protection and security of our B2C and B2B customer’s account data throughout the transaction process.
Vipul Doshi, CEO, IGT, stated “Our clients rely heavily on credit cards with more than 2/3rds of travel transactions occurring over the internet, it’s imperative that we maintain the highest standard of information security. Receiving the PCI DSS 1.2 further demonstrates our commitment to protecting our client’s and their customers.”
Internet security and personal information continues to be a top priority and concern of individuals transacting over the world wide web. Credit card companies impose hefty fines on companies not meeting PCI compliance requirements. Some reports indicate nearly one trillion dollars per year is spent on travel, and more than 2/3rds of those sales occur with credit cards. That coupled with the travel industry racking up more sales on the internet than any other industry and you have a recipe for serious credit card fraud, the very reason PCI DSS was implemented.
Mohit Magon, Vice President – Business Excellence stated “Achievement of PCI DSS 1.2 compliance reinforces our continuous commitment to the highest level of security standards. As an organization our people are committed to achieve excellence in whatever we do. Our proactive approach to comply with PCI DSS 1.2 standard is a testimony to our responsiveness towards the ever changing business environment and customer needs.”
IGT is the first Travel BPO company to achieve the recently updated version of the PCI DSS. Suresh Dadlani, COO, ControlCase stated “We are pleased to have worked closely with IGT on PCI DSS 1.2 certification. The compliances to the requirements of the standard are quite technically intensive and do not provide any scope for compromises. The achievement of PCI DSS 1.2 Certification in a short period of time was only possible due to the commitment at all levels and the technical competencies demonstrated by the team.”
IGT remains committed to meeting the highest security standards applicable in the information technology industry. With more than 1/3rd of the world’s travel transactions relying on IGT, its good to know your data is protected with IGT.
InterGlobe Technologies (IGT) provides services and solutions to corporations worldwide in the areas of Business Process Outsourcing (BPO) and Information Technology (IT). IGT’s gamut of offerings spread across the entire technology spectrum. With some 2000 global employees operating in facilities located in India, North America and Europe, InterGlobe was ranked by The Great Place To Work Institute as the best travel company of India. In 2008, Deloitte and Touche recognized IGT as one of the fastest growing companies in India and The Black Book of Outsourcing ranked IGT as one of the top 5 Travel BPO companies in the world. www.igt.in
About PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a world-wide benchmark mandated by credit card companies for the protection of card holder’s identity and transaction information. It prevents credit card fraud, hacking and various other security vulnerabilities and threats. The standard was developed by major card brands including American Express, Discover Financial Services, JCB International, Master Card Worldwide and Visa International.
A glaring vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says.
Among other things, the cross-site scripting (XSS) error on americanexpress.com allows attackers to steal users’ authentication cookies, which are used to validate American Express customers after they enter their login credentials. Depending on how the website is designed, miscreants could use the cookies to access customer account sections, said Russ McRee of the Holistic Security blog. A URL demonstrating this weakness is here.
McRee aired the American Express dirty laundry here after spending more than two weeks trying in vain to get someone inside the company to fix the problem. After getting no response from lower level employees, he emailed a director of a department responsible for information security at Amex. None of his emails was answered.
“I believe they have an obligation to respond, even if it’s brief and callous,” McRee told El Reg. “You don’t have to be polite. Just fix it.”
American Express proudly proclaims itself as a founding member of the PCI Security Standards Council, the group that forges the rules governing the Payment Card Industry. McRee says PCI’s Data Security Standards expressly hold that XSS errors are a violation of those rules, so Amex’s inaction carries a fair amount of irony.
XSS vulnerabilities are by far the most common class of security flaw affecting websites. They allow attackers to inject their own malicious code and graphics into trusted websites. In the process, they can siphon cookies, passwords, and other input supplied by users or create convincing spoof sites that show the target website’ URL in the user’s address bar. XSS vulnerabilities are generally quick and easy to fix.
On Monday, the XSSed blog reported three XSS bugs in Facebook, and within hours, they appeared to have been squashed. After sitting on a separate XSS flaw for four months, the social networking site exorcised it last week after The Register reported it here.
The NoScript add-on for the Firefox browser does an admirable job fending off XSS bugs. The upcoming version of Internet Explorer 8, which is now in beta, also sports some impressive anti-XSS features.
The Amex XSS vulnerability is the result of a lack of input validation in a get request using the q parameter. In addition to exposing users’ cookies, it allows allows attackers an easy way to create counterfeit pages for phishing and to inject malicious code using an iframe. Proofs of concept for those exploits are here and here.
We emailed Amex representatives and asked them if the company has a procedure for people to report XSS errors and other flaws that compromise their PCI compliance. A spokesman called back to say the company is looking in to McRee’s report. We’ll be sure to update this story when we get the results. ®
Less than an hour after this story was posted, Amex closed the hole. Fortunately, McRee has documented it in this video. No word yet from the company on procedures for reporting vulnerabilities.
As Christmas shoppers spend away and data breaches keep hitting the headlines, the Payment Card Industry’s security council is charged with keeping customer’s data safe.
By Miya Knights, 12 Dec 2008 at 11:14
The Payment Card Industry Data Security Standard (PCI DSS) and the global forum formed to administer it, the PCI Security Standards Council (PCI SSC), pre-dated the biggest security breaches that have come to mark a new era of unprecedented cyber criminal activity.
Since card operators Visa, MasterCard, American Express, Discovery and JCB aligned their individual data security policies and created PCI DSS in 2004, the likes of TK Maxx, Cotton Traders and numerous government departments have proven the need for such regulation.
But the PCI DSS has risen up the corporate agenda ever since the threat of fines and losing the ability to process credit cards was introduced with a June 2007 deadline for those found to be non-compliant.
The standard is intended to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. And the PCI council is charged with regulating PCI DSS and communicating its importance to any organisation handling credit card data anywhere in the world.
IT PRO spoke to PCI SSC general manager, Bob Russo about the challenges faced in raising the data security agenda.
IT PRO: 2007 was big year for PCI DSS, with the passing of the payment card operators’ final deadline for compliance. What’s been going on this year?
Russo: It’s been just as busy. We released version 1.2 of the standard in October. Just prior to its release, we had our North America community meeting, which attracted 625 attendants and actually included quite a few representatives from Europe. There were a couple of days’ good debate about the development of the standard, given that we’re in a two-year cycle.
Next year will be a feedback year on how the implementation of version 1.2 has gone. And we also talked about our new QA [quality assessor] programme and got a lot of feedback on that, having kicked it off in October to maintain the quality of PCI assessments as well.
Then we had our first European meeting in Brussels with well over 200 people attending. I would say there is a lot more uptake in Europe on the standard. In fact, they are running, not walking, to comply. Reaction to the new version was good. It doesn’t really contain any surprises, but instead includes a lot of clarifications, so organisations looking to stay up to date don’t have to go back to square one to remain compliant.
It’s interesting that you observe organisations are ‘running’ to be compliant. How do you propose they keep up if, as you say, the standard is on a two-year development cycle?
My guess is that the next release in 2010 will be a 2.0. But there are a couple of things we’re doing to make sure it develops in line with the capabilities of our stakeholders. Starting in January, we’re launching research into how the standard’s specification should embody emerging technologies, like end-to-end encryption, virtualisation and secure payment tokens, that might come outside of its scope, making it easier to comply.
The study that the council is commissioning will also look into making the standard more robust and will be a major piece of what version 2.0 will be. It will help determine what can be added to or deleted from the standard to take account of new systems’ functionality, as well as how any revision might impact that new functionality.
For example, there are specific sections in the standard that sets out how credit data is to be stored. But it has to be decided that if the data being stored in a certain way, using particular technologies, whether they would be sufficient to deal with the threats to its security.
We also introduced the Payment Application (PA) DSS. And before the end of the year, we’ll be releasing two additional controls to the existing PED [PIN entry device] standard around unattended payment terminals and hardware or software host security modules.
Having had the opportunity to get feedback on the current release of the standard from merchants and card payment companies, what have been the areas that have attracted the most debate?
I wouldn’t say we’ve had any debate, so much as clarifications, as version 1.2 sought to do, along with the combination and simplification of some of the forms that have to be completed. There were some clarifications on timings and on what security components are in or outside of its scope, such routers and firewalls. But any organisation handling sensitive data has to use the security features of both. And the standard applies just as much to paper media as it does to electronic media, as another example.
Another area that was discussed was the fact that a lot of merchants have gone down the WEP security route for their wireless networks. But events at TJX and other companies have proven WEP password security is not as secure as it used to be and so we’ve set a deadline of 31 March 2009, after which there should be no new installations of WEP security. And by June 2010, there should be no WEP installations at all.
Well, I’m sure you can imagine that there were a few that weren’t too happy about that, especially as a lot of major merchants have spent a lot of time and money on their wireless networks. But even they, perhaps grudgingly, understand that WPA and WPA2 wireless security standards are far stronger. And the deadlines for transition should give everybody enough time to get ready.
So, if you are finding overall agreement over the specifications of the standard, how easy has it been to get businesses to take the threat of non-compliance seriously?
Lots of companies I meet that are getting compliant are trying to deal with not having any security standards in place at all. They are using PCI DSS as springboard to get security on the business agenda.
And in the largest, Tier 1 retailers, they have been using legacy systems that were installed 10 to 15 years ago. You have to remember that, what was available in security terms, was quite a bit less than is available now. Retrofitting these security technologies is a very delicate thing to do and costs quite a bit, and perhaps even more so in making sure it doesn’t cause any problems to the business.
This is reflected by the fact we’re looking at developing the qualified assessor programme to be a first line of support for merchants. This is exactly what the PCI council wants, why we train them and why we’ve introduced a process of remediation for assessors as well.
As for the threat of fines, I can’t comment on that as the card brands are in charge of that side of regulation. Thankfully, it hasn’t come to that. But merchants are beginning to understand that the potential damage to their brand if they are involved in a security breach could far outweigh the cost of a fine. And they are realising compliance is becoming a differentiator – that consumers can feel safer shopping with them.
How do you see the progress of PCI DSS efforts in Europe going specifically?
Europe is a little more boisterous that the US, but then it is further along in implementing the EMV chip. That’s succeeded in lowering fraud at the counter with chip and PIN. But that’s also basically succeeded in moving fraud over to CNP (card-not-present) transactions. I also think they’re not shy in addressing any issues they are facing in complying with the standard.
Generally, I think European merchants have also done a lot more work on developing their transactional systems. Within the study I mentioned that we’re launching, we’re calling the EMV chip an emerging technology. But then you guys in Europe are using it every day. I remember back in the beginning of the roll out of PCI DSS, I heard merchants in the UK saying that they’d already jumped through hoops to become compliant with chip and PIN and done stuff to make their systems more secure that we hadn’t in the US. And that’s great, but the security issues are still there. One new technology doesn’t solve the issue. And it’s just one example that reflects the work that needs to be done to make sure the standard is as robust as possible.
You’ve mentioned a major study that the council is launching in the New Year. How will it be conducted and what will it involve?
I can’t say too much about its methodology as the study is now in RFP [request-for-proposal] stage, so its scope may change. But suffice as to say, it will very strongly focus on those emerging technologies I mentioned earlier to see how they affect, or don’t affect the scope of the standard.
Visa announced a global compliance program for the card industry’s key security standard. But many issues remain, including unclear European deadlines and the treatment of merchants that have chip card processing in place.
On 10 November 2008, Visa announced new global standards for compliance with the Payment Card Industry Data Security Standard (PCI DSS) designed to create a consistent worldwide framework for compliance by merchants, service providers and others. The new standards include a global set of requirements for merchants accepting Visa payments to validate compliance with PCI DSS, deadlines for the largest merchants to achieve validation, and deadlines for large and mid-level merchants to demonstrate that they are not storing certain types of sensitive card data. The new deadlines and processes do not, however, apply to European merchants and service providers.
The Visa announcement provides some much-needed clarification for the PCI DSS compliance and validation process for some merchants and service providers outside the United States. Visa merchants and service levels are aligned across most world regions, and deadlines and requirements have been set for demonstrating PCI DSS compliance. Nonetheless, several critical PCI DSS questions remain:
Moreover, many of the affected merchants and processors in the different global regions (including Latin America and Asia) — unlike their counterparts in the United States — have already spent considerable sums upgrading their infrastructure to support card brand mandates to roll out chip and personal identification number (PIN) cards. These same companies must now begin the often-costly PCI compliance process. Merchants Gartner has consulted believe they should be granted some type of compensation (in the form of reduced PCI compliance requirements or extended deadlines) for their chip and PIN support. Visa has indicated that some limited compensation is available to the largest European (Level 1) retailers, whose acquirers may, at their discretion, recategorize them to Level 2 if they have successfully deployed Europay, MasterCard and Visa (EMV) Chip and PIN, and EMV chip cards are encoded with iCVV (card verification value for integrated circuit cards).
Merchants and service providers:
All card brands: