Credit Card Security Issues Rise to a Boil

By Larry Seltzer  |  Posted 2006-03-15 Print this article Print

Opinion: Will the big credit card companies really enforce their rules? Expect panic and court cases if they get serious.

Theres nothing like credit card ID theft to make computer security relevant to the general public. Weve had a lot of news lately on the subject and it deserves to be big news. Theres a good chance well have more of it in the months to come, and not just the usual "thousands of card numbers were stolen" stuff. Even though merchants arent ready for it, Visa and MasterCard are making noises like theyre really, honestly and truly going to enforce the security standards they have been pushing on the retail world.
Enforcement could be the death penalty for some retailers.
I instinctively side with the banks and credit card companies; what theyre saying is that if youre going to be doing business with us, and therefore be entrusted with sensitive information, the loss of which could cost money and time for us and our customers, you need to use strict security guidelines in the operation of your computer systems and business practices. Visa calls these new guidelines CISP (Cardholder Information Security Program), and MasterCard calls them PCI (Payment Card Industry) Data Security Standard. According to a recent Wall Street Journal story (subscription required), Visa says that only 17 percent of 231 large merchants have complied with CISP, and another 75 percent have filed a plan for doing so. For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. This means that 8 percent (of large retailers) havent even bothered to file a plan. Imagine what the situation is for small retailers! In fairness, Visa also said that at this time last year only 2 percent were in compliance, so clearly progress is being made. Im not really an expert on the standards, but my understanding is that they are a serious effort and you cant easily cheat them. For instance, at the strictest levels, reserved for these large merchants who handle large numbers of cards, independent audits are required. Citibank confirms that acts of fraud in Canada, the United Kingdom and Russia are linked to a security breach. Click here to read more. And the big merchants are among the most aggressive at adopting technologies like Wi-Fi that have at least great potential for insecurity. Im told that in big-box stores and modern supermarkets youre likely to find lots of Wi-Fi that they use to quickly and cheaply install new equipment without having to run wires. Do you think the store manager has had any training in network management? A secure wireless network, the kind that would comply with PCI/CISP, requires, among other things, WPA (Wi-Fi Protected Access) protection and Radius authentication. Keeping this running requires either on-site expertise or remote management. Or they could just not be as strict about things, which is what I bet happens most of the time. Next Page: Credit card companies will have to draw the line.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel