Digital Transactions Authoritative, insightful and timely information for payments professionals
The Payment Card Industry data-security standard, or PCI, is in line for its second upgrade since the PCI Security Standards Council took over development of the standards for protecting cardholder data from the major card networks in 2006. PCI Council general manager Robert Russo announced the coming upgrade Wednesday at the Electronic Transactions Association's 2008 Annual Meeting & Expo in Las Vegas. Russo gave no details about what changes are in store, but said the upgrade will incorporate feedback from the PCI Council's participating organizations and others. In a nod to growing worries about the interception of card data while they are being transmitted during authorizations, however, he said “wireless is probably a good bet” for tightened security. Supermarket chain Hannaford Bros. Inc. recently reported that a hacker or hackers had stolen card data while it was in transit at its stores, marking an ominous new front in the fraud wars (Digital Transactions News, March 18). The PCI Council announced its first upgrade to the security standards just over a year and a half ago at the same time the organization was born (Digital Transactions News, Sept. 7, 2006). On Tuesday, the council released Version 1.1 of the Payment Application data-security standard, the specific set of guideless for third-party application developers to produce secure payment software. The PA-DSS originated with Visa Inc.'s Payment Application Best Practices program. Last year, the PCI Council said it would bring PABP into the PCI tent, meaning that the software guidelines Visa developed would also apply to third-part applications that touch cardholder data on the other card networks. PA-DSS doesn't apply to in-house payment applications, but those software systems still must meet criteria set by the main PCI set of rules. Meanwhile, while most of the controversy surrounding PCI compliance has focused on data breaches at big retailers such as Hannaford or TJX Cos., an executive with PCI compliance-assessment firm Trustwave reminded his ETA listeners at a second security session Wednesday that most data breaches involve small merchants. Mike Petitti, chief marketing officer at Chicago-based Trustwave, said about 90% of more than 350 cardholder data compromises his firm has investigated over the past two and a half years in 14 countries have involved small merchants. Sixty-nine percent of the merchants were so-called card-present merchants while the rest were Internet or other card-not-present merchants. Point-of-sale software was the source of 71% of the compromises, followed by Internet shopping carts, 22%; back-end processing systems, 6%; and hardware terminals, 1%, according to Petitti. Merchants' Internet connections played a role in nearly nine out of 10 compromises. Some 51% of the incidents involved digital subscriber lines (DSL) and 38% involved T1 lines, both of which provide “always-on” Web connectivity. Only 11% of the compromises involved dial-up connections. The card networks and merchant acquirers need to do a better job of educating the smallest, so-called Level 4 merchants about PCI, according to Petitti, who added that collectively these merchants generate 32% of credit and debit card transactions. “Most of them have never heard of PCI DSS,” he says. “It really is lost on them.”
