Well it’s about time! After thefts at CardSystems Solutions and OfficeMax netted credit card data on tens of millions of U.S. cardholders, the payment card industry will be taking a tougher stance on companies that hoard magnetic-strip data on their systems and will strengthen requirements around application security, according to sources familiar with the industry’s plans.
Credit card companies Visa and MasterCard will push large merchants to verify that they do not store magnetic-strip, or “track”, data, and will encourage ISVs to fix payment applications that do store the data, said Martin Elliott, director of corporate risk and compliance at Visa. The industry is also gearing up for changes to its PCI security standard that include application security testing, according to interviews by InfoWorld.
Track data has been the icing on the cake of recent credit card hacks, including the theft of data on tens of millions of Visa and MasterCard members from CardSystems in June 2005. The data is also believed to have been netted in a hack of OfficeMax in December that spawned a rash of card forgeries and debit card reissues.
Track data from magnetic strips isn’t necessary to process credit card transactions but is valuable to hackers and identity thieves because it can be used to make counterfeit cards, said Avivah Litan, an analyst at Gartner.
The data is often automatically saved by payment applications because developers assumed it was needed. In fact, many merchants may be unaware that their payment applications collect and cache the track data, leaving the data unprotected while giving the merchant a misplaced sense of security, Visa’s Elliott said.
The payment card industry will talk directly with ISVs to make sure that they follow best practices and discard the captured track data, Elliott said.
According to Litan and others, the PCI standard will also change to reinforce application security. A section on vulnerability management will be amended to require merchants to protect against application-level attacks such as SQL injection and cross-site scripting attacks using application-firewalls and, possibly, application code scans.
One year after PCI took effect, just 20 percent of level-one merchants, which process 6 million or more credit card transactions a year, are PCI-compliant. More than half have submitted a report and are working on issues that are preventing compliance. With better guidance, Visa’s Elliott hopes that as many as two-thirds of level-one merchants could satisfy the PCI requirements by the end of 2006.
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect businesscritical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Security Resource Alerts
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »