Avantex offers the best Linux or Windows dedicated servers. Learn more.
Contact Us          Submit a News Story          News Archives          Home

E-Commerce News

eCommerce PCI security standards completely revised

Nov. 1, 2010

Add to del.icio.us     Digg this story Digg this

Due to come into full force in January 2011, multiple revisions of the PCI (Payment Card Industry)'s major Internet security standards were published on Oct. 28th, following more than five months of complex negotiations and at many levels.

Overall, the PCI DSS version 2.0 standard, which specifies the core security rules under which eCommerce merchants and banks are supposed to process all credit card transactions, contain only minor revisions to what is now a well-established set of minimum standards best practice in managing ecommerce operations securely.

The revised guidelines call for a greater reliance on a risk-based approach for addressing security vulnerabilities, rather than a broad "eyes shut" adherence to the letter of the basic law. The latest version of the standard also brings together application and data security standard guidelines and attempts to simplify the process of overall compliance for small merchants and eTailers.

Despite the many changes, Internet security experts all over the world maintain that the new PCI standards still remain focussed mainly for small businesses.

And that is still a big problem that simply cannot be ignored. Small eCommerce merchants are still forced in adopting the standards or accept higher card processing fees in general and tougher fines or, for continual non-compliance, the complete withdrawal of their ability to take e-commerce payments.

The opinions of ecommerce merchants, eTailers, banks, payment processors and suppliers were fully taken into consideration in developing the revised PCI DSS 2.0 standards, which tie together the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) standards.

Other measures include the increased support for a risk-based approach to security vulnerability remediation and as well as an increased emphasis on an initial scoping of geo-physical locations where cardholder data actually resides before applying the revised PCI regulations.

The PCI Security Standards Council characterises the changes as "relatively minor revisions" to a "mature standard". The PCI Security Standards Council has also set up a micro-site designed to help small merchants to reach compliance.

The overall promotion of more effective log management is also on the agenda, along with more detailed standards for the secure coding of custom-built ecommerce applications.

But Stuart Okin, U.K. managing director of security consulting firm Comsec, said that "confusion reigns" in the PCI marketplace. He says this is partly because interpretation of the newly revised PCI rules differ in the U.S. and Europe but also because Visa and Mastercard are also out of sync, a point supported by other industry observers and also by a few banks.

Gary Palgon, vice president of product management at tokenisation technology provider Nu Bridges, criticized the card brands for continuing to use their "own, independent standards for PCI compliance" instead of "conforming exclusively to PCI SSC-derived framework throughout the industry".

Palgon said "Having a universal, singular standards set is paramount for easing compliance requirements and reducing complexity for ecommerce merchants and service providers alike."

Additionally, other vendors welcomed the recognition for the increased use of virtualisation and cloud-based technologies in revised standards. Sumedh Thakar, director of engineering at vulnerability assessment firm Qualys, welcomed this attempt to align payment industry security standards with 21st century IT infrastructure realities.

Thakar says "The newly revised PCI standards weren't keeping pace with advances in technology today, especially the use of virtualisation in a card holder data environment. The existing standards talk about the notion of having 'One primary function per server'. In a virtualised environment, this becomes a problem because the environment can be pretty dynamic and you could have virtual servers with different primary functions, like Web servers, email servers and database servers, all on the same physical server which would be a violation on the newly revised rules."

Rafe Pilling, PCI Consultant at SecureWorks, agreed that the approach to virtualisation in the e-commerce regulations remains somewhat unclear and confusing at best.

Pilling said "Although there are no groundbreaking changes to PCI DSS 2.0, there still have been some clarifications made to the standards and some developments on how companies using virtualisation must comply with the PCI Data Security Standards (DSS).

Ecommerce merchants sometimes hold back on introducing virtualisation technology in their PCI environments for fear of being deemed non-compliant, according to Qualys. The revised regulations remove that uncertainty but are likely to have a knock-on effect on other requirements - such as firewalls, pen testing and performing security vulnerability scans and that need to be factored into testing regimes.

"But companies looking for clear guidance on storing PCI and non-PCI systems in a virtualised environment might be very disappointed, as the boundaries are not clearly defined and leave a lot to be desired."

The older, previous version (1.2.1) of the PCI DSS guidelines was released in July of last year. The council has now settled on a three-year release cycle, which means that PCI DSS 3.0 can be expected in October 2013 at the very latest.

Merchants have the choice of applying either version 1.2.1 or 2.0 throughout 2011 before the older standard is phased out at the end of 2011 and version 2.0 becomes the only game in town for now.

Log management and regulatory compliance specialist Log Rhythm notes that many organizations have yet to meet the PCI SSCís previous recommendations. A survey by Redshift Research back in March revealed that only eleven per cent of U.K. organizations were PCI DSS compliant, an observation Log Rhythm holds true even after Septemberís PCI compliance deadline for level one merchants.

"Some of the anticipated changes by the PCI SSC canít come too soon," said Ross Brewer, vice president and division manager of international markets at Log Rhythm.

"Reports reveal some rather high rates of non-compliance, a fact often viewed as a reflection of the lack of clarity which has negatively affected the standard in the past. Guidance on virtualisation and the alignment between PCI DSS and the Payment Application Data Security Standard will also be welcome, while the evolving requirement for centralised logging of payment transactions is a definite plus for the ecommerce industry as a whole."

Brewer added that multiple complaints about the clarity of PCI DSS are nothing new and sit alongside much broader compliance and security issues many companies face today.

Source: ECNT.

Add to del.icio.us     Digg this story Digg this

This article was featured on the Business 5.0 portal. Click here to visit the site.     This article was featured on Business 5.0.

Advertise on E-Commerce News

Advertise on E-Commerce News and increase your site's visibility while boosting your sales.

If you have a product or service that deals with the ecommerce or ebusiness field, advertising on E-Commerce News can bring you new sales leads and close new marketing channels. This news portal is read by over 25,000 people a week.

Businessmen and woman that either own an ecommerce website, an ebusiness franchise, a B2B commercial exchange or by people in all walks of life that need to keep abreast of this fast-changing field. For more information on the many advantages of advertising on our news portal or to request pricing information, please send us an email and a marketing representative will be glad to answer you promptly.

Contact | Submit News | News Archives | Home

Copyright © E-Commerce News. All rights reserved.

Avantex offers professional Web hosting services at wholesale-only prices. Get the best Linux or Windows hosting package for your eCommerce website. Learn more by clicking here.