Payment-card security rules that keep customer credit and debit card information from falling into the wrong hands are becoming a contentious issue as debate over anticipated Payment Card Industry (PCI) standards and their impact heats up.
In addition to the dozen rules for network security that comprise today's PCI Data Security Standard 1.1, the PCI Security Standards Council -- which represents Visa, MasterCard, American Express and Discover -- anticipates expanding requirements next year that could relate to wireless use as well as Web-application security.
The Council's general manager Bob Russo this week said the organization is devising new standards for how to design and evaluate any Web-facing business applications for credit-card processing as well as security rules for wireless.
But a final decision is still pending, he said, since there's growing resistance to new requirements for payment-card holders, many of whom aren't yet achieving official compliance with the existing PCI standards yet. He noted the Council doesn't enforce PCI compliance, which is the job for the card associations with the banks.
The big concern now is that card-processing applications can be hacked and "we're looking into the best way to handle the application security," said Russo, adding he anticipates a decision on this in about a month. A decision to go forward may mean applications used to process credit cards would have to be evaluated and approved by a listed of certified evaluators.
One change to the PCI security rules that's certain is the release before year-end of a new "Self-assessment Questionnaire" for PCI that merchants handling payment-card data will be expected to fill out when requested by their banks as part of the PCI compliance process.
"Today, it's a one-size fits all but going forward we'll have four different versions based on the merchant's business," said Russo. "For instance, if they're small and just doing dial-up, there's no need for them to answer 200 questions, we'll just have 30 or 40 questions."
The PCI Security Standards Council also intends to establish new PIN Entry Device (PED) requirements for equipment in an effort to combine the various equipment-security programs administered separately today by card associations MasterCard International, Visa International and JCB. Russo said by year-end, the Council's Web site will likely detail a list of approved PED equipment.
There's been some "grumbling" and "pushback" among merchants aware of some of the proposed changes, Russo acknowledges. Although specifics aren't yet published, the idea of mandating new payment-card application-security design and testing guidelines makes some IT managers anxious on how it could impact their operations.
"I'm hoping what they come up with is additive, not a complete shift," said Claude Gigoux, manager of networks and telecommunications at Princess Cruises, which achieved PCI compliance in July through an audit of both its offices and its cruise ships, which wireless-based networks and applications handle payment-card information. "You're going to get a rebellion if they say you have to use this methodology or other."
In general, PCI DSS 1.1 has been beneficial, says Gigoux, because it's specific about security guidelines, such as not transiting credit-card information over a public network in the clear, without encrypting it.
"Visa and its processors don't always comply with this," Gigoux asserted. "Now and then, we'll get an e-mail directly from Visa out of the blue on the Internet, telling us, here's the card number and we have a problem with it."
Visa declined to comment on the matter.
Since the PCI standard calls for use of intrusion-detection systems and firewalls, Princess Cruises has found that centralizing log data using a security information manager -- in this case, ArcSight's Event Manager -- has helped in both making changes pertinent to PCI and providing information relevant to PCI auditors.
PCI security is also of keen interest to Verizon Business, which today announced its managed-hosting data centers in San Jose, and Beltsville, Md., achieved PCI compliance after an audit by Trustwave, a qualified security assessor (QSA) under the PCI program.
"It took us a year to get through the process," says Laura Elliott, manager of IT solutions product marketing at Verizon Business. "The reason we pursued this is because we have a large number of customers in the retail space. We didn't have to do this because we're not handling the card data, but we know that in order for the retailers to have PCI compliance, they may have to check off whether they're service provider does."
Verizon has a multifaceted view on PCI because one of its divisions, Cybertrust, is both a PCI approved scanning vendor and a PCI QSA conducting security audits on merchants' networks when merchants request this service to meet demands from their banks or face possible fines and other punishment.
"One reason PCI is so demanding is because it calls for documented policies and how they're getting carried out," says Barbara Mitchell, Verizon manager of security product marketing. Some of the anticipated changes coming from the PCI Data Security Standards Council, such as the application security proposal and the standard for PIN-entry equipment, are getting "pushback from the retail industry,' said Mitchell.
The veto in mid-October by California Gov. Arnold Schwarzenegger bill AB 799, which would have made the PCI standard a requirement in California, is indicative of some of this pushback by business, Mitchell pointed out. She added, though, that at least one other state, Minnesota, has taken the opposite approach in mandating the PCI security standards.
Although the PCI effort begun over two years ago was intended to unite the card associations, including Visa, MasterCard and American Express, behind a common security program that banks would back, that hasn't happened as neatly as one might hope.
"There's still some ambiguity, for instance, American Express might still want to see a separate scan result," says Mitchell. "We still get calls from our merchants on this." In other ways, says Verizon officials, PCI duplicates other security-compliance efforts, such as Visa's Cardholder Information Security Program which Verizon also supports.
Beverley Magda, CIO at the Humane Society of the U.S., headquartered in Washington, D.C., which has achieved official PCI compliance for two years running, says she also has noticed that American Express will ask for separate network-security scans outside of the scheduled PCI scans.
Magda said the Humane Society's certified PCI scanning vendor, Qualys, simple carries out a scan for the benefit of American Express.
In the end, PCI is simply a set of best practices, says Magda, and although it does add cost, "it's much cheaper than the fines -- for instance, $50,000 for not having a quarterly scan summary."
Magda and Gigoux say they don't agree with the sentiments against the PCI mandate expressed earlier this month by the D.C.-based retail-trade association, the National Retail Federation, which wrote an angry letter on behalf of its members to the PCI Security Standards Council.
In it, the NRF accused the Council of "making the industry jump through hoops to create an impenetrable fortress" while a better course of action would be coming up with a system that didn't require merchants to store cards at all or "keep reams of data for an extended period of time."
"They should stop whining," said Gigoux, adding PCI data security is like "safety people telling us things we don't want to hear. It gets us to fix things."