homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

Credit card security rules to get update

 3:24 pm on May 16, 2006 (gmt 0)

Proposed new security rules for credit card-accepting businesses will put more scrutiny on software, but let them off the hook on encryption.

The update to the Payment Card Industry (PCI) Data Security Standard, due this summer, responds to evolving attacks as well as to challenges some businesses have with the encryption of consumer data, Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International, said here Monday.

The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities, Maxwell said in a presentation at a security conference hosted by vulnerability management specialist Qualys. Currently, merchants are required to validate only that there are no security holes in their network. "There is an increase in application-level attacks," Maxwell said.

Credit card security rules to get update [news.com.com]



 5:43 pm on May 16, 2006 (gmt 0)

This has been an issue for some time but I didn't expect any definitive dates to be set on the release of new standards. Frankly, I still don't take too much stock in the new data security standard.

I would have to agree with the statement
if you hack the system, you get the data

I can almost picture the drooling faces of those ill-intentioned individuals waiting to bang-away at their keyboards.


 8:49 pm on May 16, 2006 (gmt 0)

Anyone have a pointer to specific details about the upcoming changes?

The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities[...]

The current PCI scans I've seen already attempt general web application intrusion attacks. What does it really mean to target the scans to payment software? Will they be tailored to your specific shopping cart vendor? What if you're using an open source cart? With downloaded modules or customization? Or all-custom code?

The vague statement in the article is alarming. We've already spent a huge amount on development of a custom ecommerce payment system- will we now have to spend even more to have that application custom-scanned for vunerabilities? Or worse, code-audited? Scary.

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved