Council Publishes Guidelines for Securing Customer Data Online

Will address credit card and payment information

The PCI Security Standards Council this week announced plans to issue new guidelines that it hopes will give transaction application developers and security specialists a clear direction to the path of least resistance when it comes to assessing risks surrounding customer and vendor data -- most notably, credit card and payment information.

The council will roll out version 1.1 of the Payment Application data-security standard, the specific set of guidance that may indeed serve as a roadmap for third-party application developers to produce secure payment software.

Such checklists and criteria were originally under the purview of Visa Inc. via its Payment Application Best Practices program. It was in 2007 that the PCI Council said it would study the possibility of bringing those suggested procedures under its umbrella.

The goal, according to a council press release issued during the week, is to "help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, other sensitive authentication data or PIN data, and ensure their payment applications support compliance with the payment card industry security standards."

In a phone interview with Redmondmag.com late in the week, PCI Council spokesman Glenn Boyet continued to emphasize that though the word "compliance" is often used, the Boston-based, non-profit council is not an enforcement agency, and that the "readiness" of application developers and accompanying systems security auditors would ultimately be determined by the card companies.

"I think it's pretty straightforward in the sense that we're looking at ways to condense information on viable payment applications and security assessors," Boyet said.

The PCI Council will issue further guidance in the form of a white paper slated to be released in May. The white paper, according to the PCI Council's Web site, will cover myriad topics including specific requirements for transaction application security and how PCI Council-certified "payment application security assessors" will be named through an accreditation process.

Still, the prospect of a list of "approved" security applications or "certified" assessors brings up more questions than answers, chief among them: How fair is it for private enterprise card companies to pick and choose selected vendors or "validate" payment applications that are to be used by vendors, retail merchants or any other business transacting with payment cards based on the council's hypotheses?

Michael Weider, director of security products at IBM Rational, a qualified security auditor for merchants and third-party payment processors, said security environments might be more sound with an objective party, such as a regulatory body not motivated by profit or the expedience and direction of wind in the market, so to speak.

"I appreciate what the council is trying to do given what they're working with. I think right now their goal is trying balance the goal of security with the annoyance of cost," Weider said. "It's a situation where if standards are too onerous, no one's happy. But if it's not stringent enough, there's no viable infrastructure."

Weider added that the degree of difficulty in choosing vendors and maintaining data integrity will continue to vary by industry.

"In financial services, it's a very tight ship, with all types of controls over all aspects of processing," he said. "In retail, which has been notoriously bad, there are entirely different sets of issues. I think that diversity presents the biggest challenge."

Thus, what is essentially a kind of concept release from the PCI Council rather than a concrete group of statutes comes at a crucial time for the PCI industry and the IT pros charged with administrating security over critical systems and data.

Last month, hackers breached the database of Massachusetts grocery chain Hannaford Bros. and swiped thousands of payment card and customer information records that ended up leading to an estimated 1,800 cases of known fraud.

Despite some misgivings about who is doling out certifications and enforcement, Steve Sahl, chief executive of Ramsey, Minn. based security consulting firm The Barrier Group, said that right now the PCI Council and the enforcing card companies are the only games in town, and merchants need to either deal with it or not use credit cards -- which, these days, is not a smart option.

"The merchant's greatest asset -- his market reputation -- is at stake," Sahl said. "As it stands, merchants must recognize that there is no greater duty than to protect customer data no matter what the guidelines or self-assessments are. His business is truly dependent upon it."

-- Jabulani Leffall