PCI Sets New Security Standards – Gets Surprising Pushback
We talked a few weeks back here new data security standards for from the PCI – Payment Card Industry – Council.
Updated Procedures for Secure Installation
As the Finextra website reminds us, “merchants and other businesses globally use ‘PA-DSS Validated’ software to ensure they can safely accept payments, both in-store and online.” And now, the PCI – Payment Card Industry – Council has updated procedures for securely installing software patches and updates. They have also provided instructions for protecting cardholder data when using debugging logs for troubleshooting, as attackers can exploit them during a compromise.
“’We continue to see how failure to properly configure and patch payment applications exposes organizations to attacks that lead to mass data compromise,’ said PCI Security Standards Council Chief Technology Officer Troy Leach. ‘That’s why in addition to updating PA-DSS to support PCI DSS 3.2, we’ve added more guidance to help integrators, resellers, and others implementing payment software to configure it properly and protect payment account data.’”
PCI Compliance and Reduced Risks
Even the Business2Community website adds that “PCI compliance also reduces numerous risks connected with money transactions. Clients can always feel very comfortable when making a transaction with a business that complies under PCI standards, even when giving away their personal data.”
National Retail Federation’s Request
So it was surprising to read then that the National Retail Federation “has asked the Federal Trade Commission to investigate the Payment Card Industry Security Standards Council for possible antitrust violations.” The ATM Marketplace website calls this part of an “ongoing saga” between the two bodies.
Evidently the NRF “asked that the FTC investigate the council’s practices in general and particularly their impact on competition,” and rather than rely on them as a “benchmark for data security,” asks the FTC to “instead work with ‘legitimate U.S. standard setting bodies’ such as the American National Standards Institute.”
The Ongoing War over EMV Standard
The Pymnts.com site specifically asserts that this is a new development in the ongoing conflict between retailers and card companies regarding the new EMV standard and the debate over using PINs instead of signature-based verification methods. According to their article summary, PCI also mandates audits for retailers and businesses processing over 1 million annual card transactions to ensure compliance with current security standards. The NRF argues that this requirement depletes the funds and resources that retailers could otherwise invest in data security.
The Importance of Secure Software
Pymnts.com reported that PCI Security Standards Council General Manager Stephen Orfei emphasized the importance of using secure software and ensuring proper installation and maintenance as a crucial aspect of safeguarding payments.
And of course too many merchants – especially those without the kind of help offered by AVPS – don’t actually upgrade and maintain the security standards already in place, which has lead to many of the more notorious breaches we’ve reported about here.
Protecting Your Customers’ Data
Regardless of how the tug-of-war in Washington plays out, your customers still need their data protected: Be sure you’ve upgraded your POS systems, gone to EMV standards for in-person purchases, and done whatever overall and review you need with your AVPS Rep, to get ready for the busy summer season, and the busier back-to-school and holiday seasons after that!