Standard Not Set in StoneBy Ericka Chickowski | Posted 2008-01-30 Email Print
Remember the TJX customer-data debacle? 94 million credit cards were stolen by hackers. PCI—the payment card industry's security standard—could have minimized the damage. Comply now or repeat the retailer's record-setting breach.
Standard Not Set in Stone
The PCI Security Standards Council has got its work cut out. Not only will it need to help laggards over the last hump, but it must maintain the standards so they’ll keep up with the most recent threats.
“It’s a changing landscape, and the hackers are getting smarter,” Russo says. “Will the standard ever be complete? I doubt it. It’s more of a journey than a destination.”
Although the council has yet to release specifics, most insiders expect a new PCI standard update involving the encryption of personal identification number (PIN) entry devices, the establishment of payment application best practices, and tweaks to the self-assessment questionnaires for Level 3 and Level 4 merchants. But merchants shouldn’t be wary, Russo says, since all changes will be made with ample contributions from advisory board members from all parts of the payment card lifecycle.
“Contrary to popular belief, it is not our intent to bring out a new standard to put everybody out of compliance,” Russo says. “And we don’t sit in an ivory tower and pick this out of the air; it’s all based on real-world experience from participating organizations.”
The real goal, Russo says, is to keep cardholders safe. And while most security gurus would agree that PCI isn’t a silver bullet, it will go a long way toward shielding retailers’ records from the bad guys.
Unfortunately, this lesson wasn’t learned soon enough to prevent the
True, WEP wireless security was the first point of penetration in the
Perhaps one of the biggest problems
“PCI is helping to set a minimum standard,” says Hughes’ Kenyon. “I think what it really has done is [act as] a vehicle for education, more than anything else—to really get the message down past the IT department to senior managers.”
PayPal’s Barrett believes that early resistance was mostly a byproduct of culture shock. Many retailers and other organizations that accept credit cards weren’t accustomed to having a third party mandate security controls—sometimes involving expensive upgrades.
“I think what you’re seeing is simply the fact that as a culture, as a sort of retail payments culture, there hasn’t been enough collective attention to this,” Barrett says. “And whenever you change culture, it always takes several years, and it’s always accompanied by lots of wailing and gnashing of teeth. But I don’t think any of that says either it’s the wrong thing to do or it undercuts the inevitability of the journey we’re on, because I do think in a few years we’re going to look back at this and say, ‘What the heck was all the fuss about?’”