Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Credit Card Giants Modify Security Specs

Payment Card Industry (PCI) authorities clarify merchant security standards, but experts aren't sure compliance will be much easier

The world's top credit card companies yesterday issued long-awaited revised security standards for their merchants, but some experts say they didn't really improve the situation much.

American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International issued Payment Card Industry (PCI) Data Security Standard 1.1, a revised set of compliance specifications that dictate requirements for the handling of credit card information.

The credit card giants also announced the formation of the PCI Security Standards Council LLC, a joint organization that will shepherd the compliance guidelines, develop a list of PCI-compliant vendors and products, and train auditors.

PCI, which includes specifications for both physical and logical security of credit card data, is required for all merchants who accept credit cards or store credit information. Merchants that don't comply could face fines as high as $500,000, or, in extreme cases, could have their ability to accept credit cards revoked.

PCI 1.0 was issued two years ago, and merchants were supposed to have achieved compliance by the deadline of June 30 of this year. However, only a fraction of the largest merchants so far have passed their PCI audits. (See Retailers Lag on Security Standard.)

Many merchants have been stymied by the complexity and stringency of the PCI guidelines, which contain some 175 requirements in 13 areas of security. Aside from mandating the implementation of encryption, firewalls, IDS, and anti-virus software, the standards outline specific requirements for storage of credit card data, employee access to that data, and even documentation and training. And PCI compliance is essentially "pass/fail" -- either merchants comply with all 175 requirements or they don't get certified.

Many merchants have been holding off on their PCI compliance initiatives in the hope that the revised standards, which were promised earlier this year, would be less rigid. Experts say the new guidelines are more clear about "compensating controls," which give merchants a bit more flexibility in their deployment of encryption and other PCI requirements.

"There has been a lot of confusion over the last year among merchants at all levels as to exactly what security measures and controls are needed to meet the standard -- especially around the best ways to encrypt sensitive data," says Jennifer Mack, director of product management at Cybertrust, which makes PCI compliance tools. "The lack of clarity left many companies struggling to meet compliance for the simple reason that they didn’t know where to start or what exactly was in scope. The updated standard is a strong step forward."

David Taylor, vice president of data security strategies at Protegrity and a former industry analyst, isn't so sure. "The new specs are definitely clearer, and that's great, but I think a lot of merchants were hoping that the new rules would make it easier to comply, and that didn't happen," he says.

Taylor notes that in order to qualify for "compensating controls" under PCI 1.1, a merchant would have to conduct a complete risk analysis: "Most haven't done that yet, and, if anything, that requirement makes it a little harder" to comply.

PCI auditors previously had hoped that PCI 1.1 would somehow divide the specifications between critical requirements -- such as the need for encryption and firewalls -- and best practices, such as thorough documentation and training. However, the new specs make no such distinction, which means that a single piece of documentation can still cause a merchant to fail an audit, even if it complies with the other 174 requirements in the PCI guidelines.

Taylor said the new PCI Security Standards Council is staffed well enough to maintain the standards, but not well enough to become an agent of enforcement. "If they are going to levy fines, they will need people to go out and verify non-compliance, and that takes staff," he says. "To me, a 'council' sounds more like an organizing body than an enforcing authority."

Many merchants that flouted the requirements in the first two years may continue to do little about compliance until the credit card vendors display more willingness to impose fines or revoke credit card processing capabilities, Taylor says. "I've had some Level 4 [smaller] merchants tell me they weren't going to do anything about compliance," he says. "Even some of the Level 2 [larger] merchants have done very little. We'll have to see if the new specs will get them to budge."

— Tim Wilson, Site Editor, Dark Reading

  • Cybertrust
  • Protegrity Corp.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/6/2020
    Introducing 'Secure Access Service Edge'
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
    Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
    Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-09
    Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
    PUBLISHED: 2020-07-08
    NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
    PUBLISHED: 2020-07-08
    An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
    PUBLISHED: 2020-07-08
    An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
    PUBLISHED: 2020-07-08
    An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...