PCI Regulation Discussion Summary

{lang: 'en-GB'}

PCI DSS is Payment Card Industry Data Security Standard, a collaborative effort to achieve a common set of security standards for use by entities that process, store, or transport payment card data. This applies to: all merchants that “store, process, or transmit cardholder data” and all payment channels including brick-and-mortar, mail, telephone, and e-commerce.

PCI Standards:

Protect card holder data with install and maintain a firewall configuration
Do not use vendor-supplied defaults for system passwords and other security parameters
Safeguard stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Please use and update anti-virus software regularly
Develop and maintain secure systems and applications
Business need-to-know which restrict Access to cardholder data
Assign a unique ID to each person with computer access
Limit physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Address information security is a policy which is maintained

The winners will be Visa, MasterCard, and others, Consulting and security firms, and possibly (though this has not been determined) consumers. The merchants certainly lose.

PCI compliance:

Air France is currently suffering a multi-million dollar effort to comply with PCI. Trying to reduce the number of applications that use credit cards, record processing requirements, and are implementing encryption and PCI storage in the network.

A few questions came out like liability issues, for example who to assign liability to when fraud happens. Also it is hard to know how outsourcing will effect security and compliance with PCI.

At this years’ ETA, I was able to see a demo of the new VeriFone technology VeriShield.  The VeriShield product provides the best of both worlds, in my opinion.  While I only saw a brief demo, I must say the product certainly looks very compelling and is a huge step in the direction of removing data from merchant environments.Use their integrated point of sale systems while having the data encrypted at the terminal by using the VeriShield product companies.  This provides the benefits of both the ‘tokenization’ type solutions as well as the encrypted mag stripe readers.

{lang: 'en-GB'}