Card Companies Planning Update to PCI Data Standards
Breitkopf, David, American Banker
The major credit card companies are planning an update to the Payment Card Industry security standards to protect customer information shared with third-party processors or sent across the Internet.
A Visa U.S.A. spokesman confirmed Friday that the update is in the works, and several industry observers said the update is likely to be announced by September.
The PCI& standard is used by Visa, MasterCard Inc., Morgan Stanley's Discover Financial Services, American Express Co., and JCB& Co. Ltd.
Though the standards have been in place for more than a year, compliance by merchants, especially small ones, is still relatively low. Visa sent small and midsize restaurants a security alert last week reminding them that they must adhere to the standards if they accept payment cards, and one recent survey found that many small businesses are unaware of the standards.
Christopher J. Novak, a principal consultant for CyberTrust Inc., a Herndon, Va., security company that performs PCI compliance assessments, said card companies are trying to update the rules for Internet applications, because many companies are "bringing a lot more of the day-to-day activities and operations" on to the Web.
Hackers are not targeting the networks' infrastructure, which have been in place for a long time and are considered both stable and secure, Mr. Novak said. Instead, "a lot of hackers are targeting the Web applications."
Many of the applications that merchants and processors use to move, store, and handle customer data are updated and modified frequently. Failing to keep up with these changes can create back doors for criminals who can exploit systems that are not up to date.
Third-party security is another important issue the card companies are likely to address, Mr. Novak said.
"We're moving to a much more open model where information is shared on a regular basis," he said. For example, many companies outsource their call centers. "Obviously, there is concern over the security surrounding these call centers. If they are not your own call centers, it can be a little more challenging to understand what security procedures and policies are in place at those particular facilities."
Chris Noell, the founder and chief executive of the Austin security consulting company TruComply LLC, said the card companies also plan to require vendors' payments software to comply with the standards within two years. Following those standards is currently optional for the vendors.
Requiring the vendors to follow the standards would "be good news for the merchant and banking communities," Mr. Noell said. "If the underlying payments application is noncompliant, what do you do? It's pretty difficult to achieve PCI compliance."
In the meantime, Visa has noticed a spike in fraud at small and midsize restaurant point of sale terminals. These businesses are often less security-minded than larger companies, and in many cases they are unaware that their terminals can be a weak point in their security. …