Credit Card Security Issues Rise to a Boil

Opinion: Will the big credit card companies really enforce their rules? Expect panic and court cases if they get serious.

Theres nothing like credit card ID theft to make computer security relevant to the general public. Weve had a lot of news lately on the subject and it deserves to be big news.

Theres a good chance well have more of it in the months to come, and not just the usual "thousands of card numbers were stolen" stuff.

Even though merchants arent ready for it, Visa and MasterCard are making noises like theyre really, honestly and truly going to enforce the security standards they have been pushing on the retail world.

Enforcement could be the death penalty for some retailers.

I instinctively side with the banks and credit card companies; what theyre saying is that if youre going to be doing business with us, and therefore be entrusted with sensitive information, the loss of which could cost money and time for us and our customers, you need to use strict security guidelines in the operation of your computer systems and business practices.

Visa calls these new guidelines CISP (Cardholder Information Security Program), and MasterCard calls them PCI (Payment Card Industry) Data Security Standard.

According to a recent Wall Street Journal story (subscription required), Visa says that only 17 percent of 231 large merchants have complied with CISP, and another 75 percent have filed a plan for doing so.

/zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

This means that 8 percent (of large retailers) havent even bothered to file a plan. Imagine what the situation is for small retailers! In fairness, Visa also said that at this time last year only 2 percent were in compliance, so clearly progress is being made.

Im not really an expert on the standards, but my understanding is that they are a serious effort and you cant easily cheat them. For instance, at the strictest levels, reserved for these large merchants who handle large numbers of cards, independent audits are required.

/zimages/2/28571.gifCitibank confirms that acts of fraud in Canada, the United Kingdom and Russia are linked to a security breach. Click here to read more.

And the big merchants are among the most aggressive at adopting technologies like Wi-Fi that have at least great potential for insecurity.

Im told that in big-box stores and modern supermarkets youre likely to find lots of Wi-Fi that they use to quickly and cheaply install new equipment without having to run wires. Do you think the store manager has had any training in network management?

A secure wireless network, the kind that would comply with PCI/CISP, requires, among other things, WPA (Wi-Fi Protected Access) protection and Radius authentication.

Keeping this running requires either on-site expertise or remote management. Or they could just not be as strict about things, which is what I bet happens most of the time.

Next Page: Credit card companies will have to draw the line.

Further reading