PCI Process Needs More Work, says Gartner
Efforts by the payments card industry to protect cardholder data are not enough, says a report from Gartner senior vice president Avivah Litan.
"The entire PCI process needs improvements," Litan says in a Gartner report entitled "Changes Will Improve PCI Security, But Not Enough." Litan particularly wants to see improvements in the PCI process such as better communication with PCI stakeholders. The Payment Card Industry (PCI) Security Standards Council, an independent body to manage updates to the PCI Data Security Standard, was announced on September 7, 2006, by its five founding members, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. Previously, control over updates was retained by Visa and MasterCard. PCI 1.1, the new version of the Data Security Standard, which was launched by the Council on September 7, places a strong emphasis on application security. It also includes a prohibition against the storage of sensitive authentication data on a card's magnetic stripe. Litan is not pleased that enforcement of the PCI standard will still be up to individual members
of the Council, which may have different definitions of compliance. "This is a big point of market confusion and irritation among retailers that must comply with PCI," she says in the report.
"Since the formation of the Council, MasterCard and Visa have started fining level 2 merchants around US$10,000 to US$15,000 for non-PCI compliance," Litan tells epaynews. "The fees are for 30 days and recur every 30 days until the merchants demonstrate compliance." Top of GartnerĘs list of PCI 1.1 recommendations for strict compliance enforcement is the encryption of sensitive cardholder data by enterprises that accept credit cards. "If data cannot be encrypted, database activity monitoring should be added to the list of compensating controls," Litan says. She also recommends scanning of software applications for security vulnerabilities. Related Links
www.gartner.com
PCI Security Standards Organisation
www.corporate.visa.com
