PCI Regulation Discussion Summary
PCI DSS is Payment Card Industry Data Security Standard, a collaborative effort to achieve a common set of security standards for use by entities that process, store, or transport payment card data. This applies to: all merchants that “store, process, or transmit cardholder data” and all payment channels including brick-and-mortar, mail, telephone, and e-commerce.
PCI Standards:
Protect card holder data with install and maintain a firewall configuration
Do not use the system default passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Restrict Access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Limit physical access to cardholder data
All access to network resources and cardholder data are tracked and monitor
Regularly test security systems and processes
Maintain a policy that address information security
The winners will be Visa, MasterCard, and others, Consulting and security firms, and possibly (though this has not been determined) consumers. The merchants of course lose.
Air France is currently suffering a multi-million dollar effort to comply with PCI. Trying to reduce the number of applications that use credit cards, record processing requirements, and are implementing encryption and PCI storage in the network.
Some questions raised involve liability issues, for example who to assign liability to when fraud happens. Also it is unclear how outsourcing will effect security and compliance with PCI.
At this years’ ETA, I was able to see a demo of the new VeriFone technology VeriShield. The VeriShield product provides the best of both worlds, in my opinion.However, I only see a simple demonstration, I must say the product certainly looks very compelling and is a huge step in the direction of removing data from merchant environments. By using the VeriShield product companies can still use their integrated point of sale systems while having the data encrypted at the terminal.This provides are beneficial to both the ‘tokenization’ type solutions and the encrypted mag stripe readers.
