Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Payment card industry compliance needs a boost

Graham Titterington | Oct. 14, 2009
Although the payment card industry (PCI) DSS standard has been a mandatory requirement for merchants and other organisations handling payment card data for over four years, non-compliance is still rife.

Improving general system security, particularly with respect to SQL injection attacks, will also help to reduce the incidence of breaches.

Enforcing PCI

The payment card industry threatens non-compliant organisations with financial penalties, but it is reluctant to use these powers, and proof of liability for a specific card breach is difficult to assign to a particular player. If the industry wanted to force all players into compliance then it would have to threaten to withdraw the card-handling franchise from the non-compliant merchant. It seems unwilling to go this far. Even if it did do so, vulnerabilities resulting from the limitations in the standard would remain, along with the limitation that PCI compliance is based on a point-in-time inspection.

A more palatable way forward would be to issue compliant organisations with a logo that they could display in their premises and on their websites so long as they remained compliant. This would give customers confidence in the same way as the SSL certificates on websites, and would embarrass non-compliant card handlers into rectifying their omissions.

Better still, the payment card industry should use its influence to encourage card handlers to enhance their overall security practices.

Graham Titterington is a principal analyst at Ovum, specialising in IT security and business continuity.

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.