The PCI Security Standards Council is reviewing this year how it can better clarify the scope of payment data security standards to make it easier for merchants to comply with them, the organization says.
The PCI Security Standards Council is reviewing this year how it can better clarify the scope of the Payment Card Industry Data Security Standard to make it easier for merchants to comply with them, the organization says.
“The goal of refining the scope of PCI-DSS applies to specific environments like wireless and point-of-sale environments,” says Bob Russo, general manager of the council. “The council is actually looking at how to limit PCI-DSS scope as it pertains to payment environments, because in the past it has been confusing for retailers on what aspects of their I.T. environment needs to be constantly monitored and reviewed to be PCI-compliant and secure. The council is looking to making the requirements for compliance less time-intensive and easier to follow.”
The PCI Security Standards Council is a payments industry organization charged with managing and promoting understanding of the PCI Data Security Standard, which is a set of standards for protecting payment card account data in company computer networks. The council was founded by payment card companies Visa Inc., MasterCard Worldwide Inc., American Express Co., Discover Financial Services and JCB International. Merchants that fail to abide by the standards are subject to fines if their stored payment card data is hacked or compromised.
The council will also be considering feedback on PCI-DSS it has been gathering from council members since last November, and it will release the next iteration of security standards in October.
Among areas the council will study in depth this year for their effect on payment data security are wireless network environments. Hacker Albert Gonzalez, recently sentenced to 20 years in prison for allegedly stealing tens of millions of credit and debit card numbers from retailers, gained access to retailers’ networks containing the payment card data through wireless networks in stores, authorities say.
The PCI council is also studying security issues related to software applications running on remote servers, the organization says. “Companies must determine the risk associated with running machines and software applications on servers in remote locations,” Russo says. “The PCI Security Standards Council’s virtualization special interest group is looking to address the challenges and issues associated with virtualization and PCI compliance.”
The council will also be reviewing emerging technologies like tokenization, which enables merchants to keep customer account data off of their own infrastructure in secured third-party data centers.
In addition, it will emphasize that merchants need to follow layered security practices to be compliant with PCI-DSS. An example of a layered security strategy is a merchant that implements firewall technology, anti-virus software, and has a system that monitors and logs all payment activity, as well as the individuals who have accessed payment network programs and data, a council spokeswoman says.