News
Council Publishes Guidelines for Securing Customer Data Online
- By Jabulani Leffall
- April 18, 2008
The
PCI Security
Standards Council this week announced plans to issue new guidelines that
it hopes will give transaction application developers and security specialists
a clear direction to the path of least resistance when it comes to assessing
risks surrounding customer and vendor data -- most notably, credit card and payment
information.
The council will roll out version 1.1 of the Payment Application data-security standard, the specific set of guidance that may indeed serve as a roadmap for third-party application developers to produce secure payment software.
Such checklists and criteria were originally under the purview of Visa Inc. via its Payment Application Best Practices program. It was in 2007 that the PCI Council said it would study the possibility of bringing those suggested procedures under its umbrella.
The goal, according to a council press release issued during the week, is to "help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, other sensitive authentication data or PIN data, and ensure their payment applications support compliance with the payment card industry security standards."
In a phone interview with Redmondmag.com late in the week, PCI Council spokesman
Glenn Boyet continued to emphasize that though the word "compliance" is often
used, the Boston-based, non-profit council is not an enforcement agency, and
that the "readiness" of application developers and accompanying systems security
auditors would ultimately be determined by the card companies.
"I think it's pretty straightforward in the sense that we're looking at ways
to condense information on viable payment applications and security assessors,"
Boyet said.
The PCI Council will issue further guidance in the form of a white paper slated
to be released in May. The white paper, according to the PCI Council's Web site,
will cover myriad topics including specific requirements for transaction application
security and how PCI Council-certified "payment application security assessors"
will be named through an accreditation process.
Still, the prospect of a list of "approved" security applications or "certified"
assessors brings up more questions than answers, chief among them: How fair
is it for private enterprise card companies to pick and choose selected vendors
or "validate" payment applications that are to be used by vendors, retail
merchants or any other business transacting with payment cards based on the
council's hypotheses?
Michael Weider, director of security products at IBM Rational, a qualified
security auditor for merchants and third-party payment processors, said security
environments might be more sound with an objective party, such as a regulatory
body not motivated by profit or the expedience and direction of wind in the
market, so to speak.
"I appreciate what the council is trying to do given what they're working with.
I think right now their goal is trying balance the goal of security with the
annoyance of cost," Weider said. "It's a situation where if standards are too
onerous, no one's happy. But if it's not stringent enough, there's no viable
infrastructure."
Weider added that the degree of difficulty in choosing vendors and maintaining data integrity will continue to vary by industry.
"In financial services, it's a very tight ship, with all types of controls
over all aspects of processing," he said. "In retail, which has been notoriously
bad, there are entirely different sets of issues. I think that diversity presents
the biggest challenge."
Thus, what is essentially a kind of concept release from the PCI Council rather
than a concrete group of statutes comes at a crucial time for the PCI industry
and the IT pros charged with administrating security over critical systems and
data.
Last month, hackers
breached the database of Massachusetts grocery chain Hannaford Bros. and
swiped thousands of payment card and customer information records that ended
up leading to an estimated 1,800 cases of known fraud.
Despite some misgivings about who is doling out certifications and enforcement,
Steve Sahl, chief executive of Ramsey, Minn. based security consulting firm
The Barrier Group, said that right now the PCI Council and the enforcing card
companies are the only games in town, and merchants need to either deal with
it or not use credit cards -- which, these days, is not a smart option.
"The merchant's greatest asset -- his market reputation -- is at stake," Sahl
said. "As it stands, merchants must recognize that there is no greater duty
than to protect customer data no matter what the guidelines or self-assessments
are. His business is truly dependent upon it."
About the Author
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.