There was a major development on the PCI DSS front this week, and it’s good news for anyone who has to swipe a credit card at the cashier counter or punch in a credit card number during online purchases. In other words, it’s good news for just about everyone.
To force more security into the payment application development process, the Payment Card Industry Security Standards Council announced Wednesday that it’s adding a new provision to the PCI Data Security Standard (PCI DSS) called the Payment Application Data Security Standard (PA-DSS) — based on Visa’s Payment Application Best Practices (PABP).
The standard is meant to pressure software vendors and others into developing secure payment applications that do not store such prohibited data as the full magnetic stripe, CVV2 and PIN data.
Reaction in the blogosphere is largely positive, with industry practitioners agreeing better application security is a necessity.
Tyler Hannan writes in his Reflections on Emergent Commerce and Technology blog that the news represents a major change in how data is protected when processed via software applications.
“If I read correctly, this means that all applications MUST be PA-DSS compliant in just over two years,” he writes. “As such, the time is now for software companies (and their merchants) to start making decisions about how to improve their application, and associated processes, to meet PA-DSS compliance.”
In his PCI DSS Compliance Demystified blog, Michael Dahn writes that by turning the best practice document into a standard and then enforcing it with hard deadlines for compliance, the industry is delivering a one-two punch to the insecure systems, helping eliminate fraud in the smaller merchant arena.
“It is important to focus on this area as it shows a strong push towards the security of smaller merchants,” he writes. “It is widely known that many small merchant use similar point of sale (POS) technology and that the greatest risk to those merchants is from the compromise of those systems that store sensitive authentication information.”
Everything that’s come from my reporting in recent months tells me these guys are on the mark. There are two factors that make it clear that the council’s move if necessary.
First, point-of-sale technology is one of the weak links in the retail security chain. Many of the systems we use to swipe credit cards at the checkout counter are storing too much transaction data, and that’s what the bad guys are after. Several IT administrators have told me that they’ve had to upgrade their point-of-sale systems as part of their PCI DSS compliance for that very reason.
Second, we’ve seen that business applications in general are in a sorry state because security is at the bottom of the priority list for developers.
The only way to change the situation is to train developers to be more security conscious, and the only way they will get that training is if their bosses are pressured into offering it. The need for more security in the application development process has been a major theme at the Computer Security Institute (CSI) 2007 conference in Arlington, Va., which I attended earlier this week.
That it was a major CSI theme speaks to just how big a security issue payment application security has become.
It’s good to see the PCI Security Standards Council is taking it seriously.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at email@example.com.