, SecurityFocus 2007-11-19
The organization responsible for technical and best-practice standards in the payment industry plans to require the makers of merchant software to certify that their programs do not store sensitive data.
The draft requirements, known as the Payment Applications Data Security Standard (PA-DSS), are based on a set of rules created by financial giant Visa and will be managed by the Payment Card Industry (PCI) Security Standards Council. The rules, announced earlier this month, would require that any software handling credit- or debit-card data not store or cache prohibited data from a transaction, including the information saved to a card's magnetic stripe, the CVV2 (card verification value) security number or PIN (personal identification number).
While 200 applications have already passed compliance with Visa's versions of the rules, hundreds of programs that handle financial transaction continue to store sensitive data, Bob Russo, general manager for the PCI Security Standards Council, told SecurityFocus.
"Back in the day when anyone wrote an application, the thought was that always more data is better," said Bob Russo, general manager for the PCI Security Standards Council. "In a lot of cases, the merchant doesn't even know they are storing the data."
The decision to eradicate sensitive data from brick-and-mortar and online processing applications comes nearly a year after major retailer TJX Companies announced that attackers had breached its security and stolen millions of credit- and debit-card numbers. The company announced the breach in January, later acknowledging that information on at least 46.5 million cards had been stolen. Recently, a lawsuit against TJX revealed that data from at least 94 million credit and debit cards had been siphoned from the retailers networks.
The breaches have increased pressure on merchants to secure their systems, but complexity and cost have slowed the adoption of security measures. Two months after a deadline to comply to the payment industry's processing security standard, only two thirds of the top-tier retailers have satisfied requirements, according to Visa.
While the situation sounds dire, Russo stressed that the rate of financial fraud has actually remained low -- about 0.6 percent of all revenue -- according to public numbers released by Visa.
Still, the coming standard will help close a large hole in the security of credit-card transactions, said Avivah Litan, a data-security analyst at Gartner. Already, applications that save prohibited data are likely already being targeted by attackers, she said.
"Attackers like to find vendors whose products store data, and then find businesses that use those vendors," she said.
While about 200 applications have already been certified by Visa under the original program -- and thus, would likely meet the requirements of any new standard -- that likely only represents about a third of the software installed at retail businesses, Litan said.
At least one security expert warned that the rules will only close a single security hole, not solve the problem. "This isn't the only place from where fraud springs from," said Gordon Rapkin, CEO of data-protection firm Protegrity. "It is only one hole, so it is putting your finger in the dike in only one place."
Moreover, the transition will not happen overnight. Because it is expensive to convert retail and online systems to new software, the transition will take two or three years, Russo said.
"Some of these merchants are very, very large, and it takes quite some time and quite some budget to get them compliant," he said.
The proposed standards, which are currently undergoing a public comment period, will likely be adopted during the first quarter of 2008. The five major credit-card companies -- American Express, Discover, JCB, Mastercard International and Visa -- have all voiced support for the rules, Russo said.
If you have tips or insights on this topic, please contact SecurityFocus.