With headlines about the compromise of hundreds of thousands of credit card numbers at CardSystems Solutions Inc. still fresh, the industry is implementing long-awaited data security rules for merchants and card processors.
The Payment Card Industry Data Security Standard mandates IT security best practices such as firewalls and anti-virus software, as well as data encryption for online merchants. The standard has already prompted a wave of security audits and updates among credit card processors, online merchants and service providers. But some industry insiders warn that enforcing the regulations among thousands of small merchants will be a challenge.
PCI harmonizes separate, overlapping security regulations from the major credit card networks: Visa, MasterCard, American Express and Discover. The standard, which was introduced by Visa and MasterCard in December 2004, mandates online merchants to comply with 12 security requirements, including the use of firewall and anti-virus software, data encryption, strong passwords, and software vulnerability scanning.
Merchants are asked to perform PCI self-assessments and undergo vulnerability scans. However, merchants at the top of the e-commerce industry, handling more than 6 million transactions a year, must perform annual on-site security audits from independent auditors, in addition to quarterly network scans. Those requirements also apply to merchants, such as CardSystems, that have been the victims of a security breach.
Security products and services companies such as nCipher Inc. have received a steady stream of inquiries about PCI compliance, and many now offer products or consulting services geared to the new standard.
Cybertrust Inc., in Herndon, Va., a security services company, now partners with Qualys Inc., a vulnerability scanning company, to offer a PCI compliance package. Cybertrust customers can access an online dashboard for PCI compliance, which integrates data from vulnerability scans with links to information on fixing security holes, said Jennifer Mack, product manager for Cybertrusts online compliance program.
At 3DeltaSystems Inc. of Chantilly, Va., administrators just completed their first PCI certification, said Aaron Bills, vice president of products and business development. The PCI audit turned up mostly minor issues such as passwords and Web session timeout settings that were shorter than the PCI standard recommends.
"I would have considered our standards in line with industry common practices, but PCI forced us to move to industry best practices," Bills said. Despite the June 30 deadline, many merchants are still grappling with PCI compliance, Bills and Mack said.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.