This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
Are Changes Afoot For PCI?
While PCI is lauded for its clarity, there are still questions in terms of meeting the standard's requirements.
"We specifically get questions around scanning, pen testing, encryption and audit logging," says Jennifer Mack, director of compliance product management for Cybertrust, an authorized PCI auditor. "We told [the credit card associations] that companies would like more interpretation on these."
Barak Engel, CSO at LoyaltyLab, believes the encryption requirements are straightforward, but hopes for some clarification in terms of scope. Do retailers have to encrypt store cash cards that carry no personally identifiable information? Right now the answer is "probably not," which is saying just as much as "better safe than sorry."
Many of these concerns have been reported to the credit card issuers and auditors say there will be updates to the standard this summer.
Among possible changes, vulnerability scans will be recommended for level 4 merchants on a quarterly rather than an annual basis, as determined by the merchant's acquirers. "VISA and MasterCard are communicating this out to the banks," says Mack.
Lastly, the credit card associations may create a fifth tier that will group together merchants that have 1 million to 6 million online credit card transactions per year. Currently, level 2 is defined 150,000 to 6 million transactions per year.
More Requirements Ahead?
In the future, companies may have more to deal with than PCI and regulations like GLBA when it comes to protecting consumers' data.
For example, HR 3140--which would expand the protection of "sensitive consumer information" in part by requiring financial institutions, reporting agencies and other organizations to notify consumers of data-security breaches--was among several bills introduced last year by Rep. Melissa Bean (D-Ill.). Sens. Dianne Feinstein (D-Calif.) and Bill Nelson (D-Fla.) are among those who introduced bills that would require consumers be notified if sensitive data is compromised. The proposed legislation includes--but is not limited to--the protection of credit card information.
"We haven't seen the last of federal or state legislation that will pertain to keeping consumer data secure.... It's going to be more and more important for us to be proactive in our approach to meeting today's standards, such as PCI, and ones we believe are heading for the industry in the future," Accor's Ewing says.
However, given the "relatively slow-moving process" of law-making, many organizations are hopeful that PCI will forestall additional legislation--at least temporarily, says Jupiter's Kountz. "There's a feeling that [state and federal bodies] could take a simple problem and make it more complex, and many would like to avoid that if at all possible," he notes.
In the absence of additional legislation, security professionals are applying their own expertise--guided by PCI and refined by their organizations' specific needs--to secure the credit card transactions on which their revenue depends. Well-publicized security breaches not only drive home the alarming possibility that it could happen to you, but are also motivation to ensure that it doesn't, says Honeybaked Ham's Goldoff.
"Fear and ethics"--the ethical obligation to take care of customers' data as vigilantly as you would your own--"make us very protective," he says.
This was first published in May 2006