PCI Sets New Security Standards – Gets Surprising Pushback

PCI Sets New Security Standards – Gets Surprising Pushback

We talked a few weeks back here new data security standards for from the PCI – Payment Card Industry – Council.

As the Finextra website reminds us, “merchants and other businesses globally use ‘PA-DSS Validated’ software to ensure they can safely accept payments, both in-store and online.” And now there are updated “procedures for secure installation of software patches and updates, and instructions for protecting cardholder data if using debugging logs for troubleshooting, as these can be exploited during a compromise.

“’We continue to see how failure to properly configure and patch payment applications exposes organizations to attacks that lead to mass data compromise,’ said PCI Security Standards Council Chief Technology Officer Troy Leach. ‘That’s why in addition to updating PA-DSS to support PCI DSS 3.2, we’ve added more guidance to help integrators, resellers, and others implementing payment software to configure it properly and protect payment account data.’”

Even the Business2Community website adds that “PCI compliance also reduces numerous risks connected with money transactions. Clients can always feel very comfortable when making a transaction with a business that complies under PCI standards, even when giving away their personal data.”

So it was surprising to read then that the National Retail Federation “has asked the Federal Trade Commission to investigate the Payment Card Industry Security Standards Council for possible antitrust violations.” The ATM Marketplace website calls this part of an “ongoing saga” between the two bodies.

Evidently the NRF “asked that the FTC investigate the council’s practices in general and particularly their impact on competition,” and rather than rely on them as a “benchmark for data security,” asks the FTC to “instead work with ‘legitimate U.S. standard setting bodies’ such as the American National Standards Institute.”

More specifically, the Pymnts.com site asserts that this “latest front is yet a new one in the ongoing war between retailers and card companies over the new EMV standard and whether or not PIN should be used as opposed to signature-based verification methods that are currently the norm.”

As their article summarizes, “PCI further requires that retailers and business that process over 1 million annual card transactions must be audited to make sure their practices are in line with current security standards. The NRF contends the requirement that they work with credit card companies ‘exhausts’ funds and resources that retailers might otherwise use to invest in data security. ”

On the other hand, PCI Security Standards Council General Manager Stephen Orfei said to Pymnts.com, about the new standards we mentioned above, “using secure software and making sure that the software is installed and maintained correctly is a critical part of protecting payments.”

And of course too many merchants – especially those without the kind of help offered by AVPS – don’t actually upgrade and maintain the security standards already in place, which has lead to many of the more notorious breaches we’ve reported about here.

Regardless of how the tug-of-war in Washington plays out, your customers still need their data protected: Be sure you’ve upgraded your POS systems, gone to EMV standards for in-person purchases, and done whatever overall and review you need with your AVPS Rep, to get ready for the busy summer season, and the busier back-to-school and holiday seasons after that!


Leave a Reply

Your email address will not be published. Required fields are marked *