Criminals also obtained the associated expiration dates, giving thieves the information they would need to make an online purchase on some e-commerce sites. E-retailers ...
New data-protection standard should require outside auditors
The joint data storage protection standards of MasterCard, Visa, American Express, and Discover should require outside auditors to validate whether medium- to large-size merchants are in compliance.
The joint data storage protection standards of MasterCard, Visa, American Express, and Discover should require outside auditors to validate whether medium- to large-size merchants are in compliance, says Ivan Remsik, senior analyst at Forrester Research Inc.
The combined standards-the Payment Card Industry Data Security Standard, or PCI-outline what steps online merchants must take to protect customers’ confidential data, including credit card account numbers. Merchant acquirers and service providers that store, process or transmit cardholder data also must meet the standard.
The deadline for complying with the standards was June 30.
Under the standard, merchants must validate compliance either through internal or external audits of their data security. But Remsik says that most mid-size to large merchants don’t have internal auditors with the expertise needed to determine if a security system is in compliance. He notes that there are over 175 areas and 200 assessment tasks that the security assessor needs to review, including line by line inspection of coding.
“Our message to clients is leave it to the professionals,” Remsik says. “This is really a very specialized activity, and we just don’t think that internal staff would have the necessary knowledge to identify those security flaws. The risk is that certain areas just would not be looked at.”
PCI’s requirements include building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, monitoring and testing networks and maintaining an information security policy.