Proposed new security rules for credit card-accepting businesses will put more scrutiny on software, but let them off the hook on encryption.
The update to the Payment Card Industry (PCI) Data Security Standard, due this summer, responds to evolving attacks as well as to challenges some businesses have with the encryption of consumer data, Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International, said here Monday.
The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities, Maxwell said in a presentation at a security conference hosted by vulnerability management specialist Qualys. Currently, merchants are required to validate only that there are no security holes in their network. "There is an increase in application-level attacks," Maxwell said.
Anyone have a pointer to specific details about the upcoming changes?
The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities[...]
The current PCI scans I've seen already attempt general web application intrusion attacks. What does it really mean to target the scans to payment software? Will they be tailored to your specific shopping cart vendor? What if you're using an open source cart? With downloaded modules or customization? Or all-custom code?
The vague statement in the article is alarming. We've already spent a huge amount on development of a custom ecommerce payment system- will we now have to spend even more to have that application custom-scanned for vunerabilities? Or worse, code-audited? Scary.