Welcome to WebmasterWorld Guest from

Forum Moderators: buckworks

Message Too Old, No Replies

Credit card security rules to get update

3:24 pm on May 16, 2006 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
votes: 499

Proposed new security rules for credit card-accepting businesses will put more scrutiny on software, but let them off the hook on encryption.

The update to the Payment Card Industry (PCI) Data Security Standard, due this summer, responds to evolving attacks as well as to challenges some businesses have with the encryption of consumer data, Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International, said here Monday.

The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities, Maxwell said in a presentation at a security conference hosted by vulnerability management specialist Qualys. Currently, merchants are required to validate only that there are no security holes in their network. "There is an increase in application-level attacks," Maxwell said.

Credit card security rules to get update [news.com.com]

5:43 pm on May 16, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 19, 2004
votes: 0

This has been an issue for some time but I didn't expect any definitive dates to be set on the release of new standards. Frankly, I still don't take too much stock in the new data security standard.

I would have to agree with the statement

if you hack the system, you get the data

I can almost picture the drooling faces of those ill-intentioned individuals waiting to bang-away at their keyboards.
8:49 pm on May 16, 2006 (gmt 0)

Full Member

10+ Year Member

joined:Mar 3, 2004
votes: 0

Anyone have a pointer to specific details about the upcoming changes?

The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities[...]

The current PCI scans I've seen already attempt general web application intrusion attacks. What does it really mean to target the scans to payment software? Will they be tailored to your specific shopping cart vendor? What if you're using an open source cart? With downloaded modules or customization? Or all-custom code?

The vague statement in the article is alarming. We've already spent a huge amount on development of a custom ecommerce payment system- will we now have to spend even more to have that application custom-scanned for vunerabilities? Or worse, code-audited? Scary.


Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members