| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| « Feb | ||||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | ||
- February 7, 2007: New Techniques for Guarding Financial Data
- February 6, 2007: Increased Scrutiny From Card Associations in 2007
- January 28, 2007: The State of PCI Compliance 2007
- January 23, 2007: Background Checks on IT Personnel
- January 5, 2007: 100 Million Notifications of Data Breaches in US
- December 17, 2006: Inside Jobs: The Risk of Data Breach From Insider Threats
- December 12, 2006: Card Associations Step Up PCI Enforcement
- December 1, 2006: CompTIA Survey Emphasizes Importance of Security Training
- December 1, 2006: CompTIA Survey Emphasizes Importance of Security Training
- November 16, 2006: Average data breach costs $5 million
Credit Card Companies
FAQ
Helpful Sites
Recent Changes to the Payment Card Industry Data Security Standard
Earlier this month, the PCI Security Standards Council announced version 1.1 of the Payment Card Industry Data Security Standard (PCI DSS). It is a bit challenging to find a description of the changes from the original version, at least on the “official” sites. However, there have been some fairly informative articles in industry publications that address some of these points.
In an article in InfoWorld entitled Card Industry Targets App Security, Paul F. Roberts highlights how the new standards focus on application security, especially as it relates to track data. Citing an analyst at Gartner, Mr. Roberts writes that track data “is valuable to hackers and identity thieves because it can be used to make counterfeit cards.” Martin Elliott, director of corporate risk and compliance at Visa, also spoke with Mr. Roberts about the risks related to track data, and Mr. Roberts writes, “In fact, many merchants may be unaware that their payment applications collect and cache the track data, leaving the merchant unprotected while giving the merchant a misplaced sense of security.” Mr. Roberts has exposed the myth of security from packaged applications. Visa has published its Payment Application Best Practices to address these security concerns, as well as a List of CISP-Validated Payment Applications.
Another article, published in Transaction World under the title What’s Next With PCI Compliance, also addresses the Payment Application Best Practices. She points out how the credit card companies have imposed tighter restrictions on even lower volume merchants, stating that ”POS developers as well as smaller and mid-size merchants are now under scrutiny.”
Certainly, by imposing the tighter standards on payment applications and smaller merchants, Visa and MasterCard are forcing these organizations to spend drastically more on PCI compliance. However, with the proliferation of hacking, the entire payment network is only as strong as its weakest link, so even these holes must be plugged. As an alternative, these organizations — especially merchants — should investigate their options for outsourcing their payment processing to a certified PCI compliant service provider, which may offer substantial savings versus the costs of self-compliance.