Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Credit Card Giants Modify Security Specs

Payment Card Industry (PCI) authorities clarify merchant security standards, but experts aren't sure compliance will be much easier

The world's top credit card companies yesterday issued long-awaited revised security standards for their merchants, but some experts say they didn't really improve the situation much.

American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International issued Payment Card Industry (PCI) Data Security Standard 1.1, a revised set of compliance specifications that dictate requirements for the handling of credit card information.

The credit card giants also announced the formation of the PCI Security Standards Council LLC, a joint organization that will shepherd the compliance guidelines, develop a list of PCI-compliant vendors and products, and train auditors.

PCI, which includes specifications for both physical and logical security of credit card data, is required for all merchants who accept credit cards or store credit information. Merchants that don't comply could face fines as high as $500,000, or, in extreme cases, could have their ability to accept credit cards revoked.

PCI 1.0 was issued two years ago, and merchants were supposed to have achieved compliance by the deadline of June 30 of this year. However, only a fraction of the largest merchants so far have passed their PCI audits. (See Retailers Lag on Security Standard.)

Many merchants have been stymied by the complexity and stringency of the PCI guidelines, which contain some 175 requirements in 13 areas of security. Aside from mandating the implementation of encryption, firewalls, IDS, and anti-virus software, the standards outline specific requirements for storage of credit card data, employee access to that data, and even documentation and training. And PCI compliance is essentially "pass/fail" -- either merchants comply with all 175 requirements or they don't get certified.

Many merchants have been holding off on their PCI compliance initiatives in the hope that the revised standards, which were promised earlier this year, would be less rigid. Experts say the new guidelines are more clear about "compensating controls," which give merchants a bit more flexibility in their deployment of encryption and other PCI requirements.

"There has been a lot of confusion over the last year among merchants at all levels as to exactly what security measures and controls are needed to meet the standard -- especially around the best ways to encrypt sensitive data," says Jennifer Mack, director of product management at Cybertrust, which makes PCI compliance tools. "The lack of clarity left many companies struggling to meet compliance for the simple reason that they didn’t know where to start or what exactly was in scope. The updated standard is a strong step forward."

David Taylor, vice president of data security strategies at Protegrity and a former industry analyst, isn't so sure. "The new specs are definitely clearer, and that's great, but I think a lot of merchants were hoping that the new rules would make it easier to comply, and that didn't happen," he says.

Taylor notes that in order to qualify for "compensating controls" under PCI 1.1, a merchant would have to conduct a complete risk analysis: "Most haven't done that yet, and, if anything, that requirement makes it a little harder" to comply.

PCI auditors previously had hoped that PCI 1.1 would somehow divide the specifications between critical requirements -- such as the need for encryption and firewalls -- and best practices, such as thorough documentation and training. However, the new specs make no such distinction, which means that a single piece of documentation can still cause a merchant to fail an audit, even if it complies with the other 174 requirements in the PCI guidelines.

Taylor said the new PCI Security Standards Council is staffed well enough to maintain the standards, but not well enough to become an agent of enforcement. "If they are going to levy fines, they will need people to go out and verify non-compliance, and that takes staff," he says. "To me, a 'council' sounds more like an organizing body than an enforcing authority."

Many merchants that flouted the requirements in the first two years may continue to do little about compliance until the credit card vendors display more willingness to impose fines or revoke credit card processing capabilities, Taylor says. "I've had some Level 4 [smaller] merchants tell me they weren't going to do anything about compliance," he says. "Even some of the Level 2 [larger] merchants have done very little. We'll have to see if the new specs will get them to budge."

— Tim Wilson, Site Editor, Dark Reading

  • Cybertrust
  • Protegrity Corp.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Our Endpoint Protection system is a little outdated... 
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-12
    HLOS could corrupt CPZ page table memory for S1 managed VMs in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM84...
    PUBLISHED: 2019-12-12
    Possible out of bounds write in a MT SMS/SS scenario due to improper validation of array index in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ805...
    PUBLISHED: 2019-12-12
    Incorrect length used while validating the qsee log buffer sent from HLOS which could then lead to remap conflict in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdra...
    PUBLISHED: 2019-12-12
    While Skipping unknown IES, EMM is reading the buffer even if the no of bytes to read are more than message length which may cause device to shutdown in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ809...
    PUBLISHED: 2019-12-12
    Crafted image that has a valid signature from a non-QC entity can be loaded which can read/write memory that belongs to the secure world in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastruc...