The world's top credit card companies yesterday issued long-awaited revised security standards for their merchants, but some experts say they didn't really improve the situation much.

American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International issued Payment Card Industry (PCI) Data Security Standard 1.1, a revised set of compliance specifications that dictate requirements for the handling of credit card information.

The credit card giants also announced the formation of the PCI Security Standards Council LLC, a joint organization that will shepherd the compliance guidelines, develop a list of PCI-compliant vendors and products, and train auditors.

PCI, which includes specifications for both physical and logical security of credit card data, is required for all merchants who accept credit cards or store credit information. Merchants that don't comply could face fines as high as $500,000, or, in extreme cases, could have their ability to accept credit cards revoked.

PCI 1.0 was issued two years ago, and merchants were supposed to have achieved compliance by the deadline of June 30 of this year. However, only a fraction of the largest merchants so far have passed their PCI audits. (See Retailers Lag on Security Standard).

Many merchants have been stymied by the complexity and stringency of the PCI guidelines, which contain some 175 requirements in 13 areas of security. Aside from mandating the implementation of encryption, firewalls, IDS, and anti-virus software, the standards outline specific requirements for storage of credit card data, employee access to that data, and even documentation and training. And PCI compliance is essentially "pass/fail" -- either merchants comply with all 175 requirements or they don't get certified.

Many merchants have been holding off on their PCI compliance initiatives in the hope that the revised standards, which were promised earlier this year, would be less rigid. Experts say the new guidelines are more clear about "compensating controls," which give merchants a bit more flexibility in their deployment of encryption and other PCI requirements.

"There has been a lot of confusion over the last year among merchants at all levels as to exactly what security measures and controls are needed to meet the standard -- especially around the best ways to encrypt sensitive data," says Jennifer Mack, director of product management at Cybertrust, which makes PCI compliance tools. "The lack of clarity left many companies struggling to meet compliance for the simple reason that they didn’t know where to start or what exactly was in scope. The updated standard is a strong step forward."

David Taylor, vice president of data security strategies at Protegrity and a former industry analyst, isn't so sure. "The new specs are definitely clearer, and that's great, but I think a lot of merchants were hoping that the new rules would make it easier to comply, and that didn't happen," he says.

Taylor notes that in order to qualify for "compensating controls" under PCI 1.1, a merchant would have to conduct a complete risk analysis: "Most haven't done that yet, and, if anything, that requirement makes it a little harder" to comply.

PCI auditors previously had hoped that PCI 1.1 would somehow divide the specifications between critical requirements -- such as the need for encryption and firewalls -- and best practices, such as thorough documentation and training. However, the new specs make no such distinction, which means that a single piece of documentation can still cause a merchant to fail an audit, even if it complies with the other 174 requirements in the PCI guidelines.

Taylor said the new PCI Security Standards Council is staffed well enough to maintain the standards, but not well enough to become an agent of enforcement. "If they are going to levy fines, they will need people to go out and verify non-compliance, and that takes staff," he says. "To me, a 'council' sounds more like an organizing body than an enforcing authority."

Many merchants that flouted the requirements in the first two years may continue to do little about compliance until the credit card vendors display more willingness to impose fines or revoke credit card processing capabilities, Taylor says. "I've had some Level 4 [smaller] merchants tell me they weren't going to do anything about compliance," he says. "Even some of the Level 2 [larger] merchants have done very little. We'll have to see if the new specs will get them to budge."

— Tim Wilson, Site Editor, Dark Reading

Cybertrust