By Joris Evers
Staff Writer, CNET News.com
May 15, 2006
SAN FRANCISCO--Proposed new security rules for credit card-accepting
businesses will put more scrutiny on software, but let them off the
hook on encryption.
The update to the Payment Card Industry (PCI) Data Security Standard,
due this summer, responds to evolving attacks as well as to challenges
some businesses have with the encryption of consumer data, Tom
Maxwell, director of e-Business and Emerging Technologies at
MasterCard International, said here Monday.
The proposed update includes a requirement to, by mid-2008, scan
payment software for vulnerabilities, Maxwell said in a presentation
at a security conference hosted by vulnerability management specialist
Qualys. Currently, merchants are required to validate only that there
are no security holes in their network. "There is an increase in
application level attacks," Maxwell said.
While security stands to benefit from a broader vulnerability scan,
another proposed change to the security rules may hurt security of
consumer data, critics said. The new version of PCI will offer
merchants more alternatives to encryption as a way to secure consumer
"Today, the requirement is to make all information unreadable wherever
it is stored," Maxwell said. But this encryption requirement is
causing so much trouble for merchants that credit card companies are
having trouble dealing with requests for alternative measures, he
In response, changes to PCI will let companies replace encryption with
other types of security technology, such as additional firewalls and
access controls, Maxwell said. "There will be more acceptable
compensating and mitigating controls," he said.
While PCI is good in principal, relaxing encryption requirements is
not, said Paul Simmonds, a representative of the Jericho Forum, a
group of companies that promote open security technologies. "It
basically means that if you hack the system, you get the data," he
said. "I can't think of a good alternative for encryption."
The challenge with encryption is that older payment systems were not
built to support the scrambling technology, said Qualys CEO Philippe
Courtot. "Encryption is the ultimate measure of security, but the
current applications have not been designed with encryption in mind,"
The PCI security standard was developed by MasterCard and Visa and
went into effect last year. It aims to reduce the risk of an attack by
mandating the proper use of firewalls, message encryption, computer
access controls and antivirus software. It also requires frequent
security audits and network monitoring, and forbids the use of default
passwords. Retailers that don't comply may face penalties, including
Copyright =A91995-2006 CNET Networks, Inc. All rights reserved.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.