E-commerce smackdown as PCI standards revised Revisions of the Payment Card Industry's security standards, due to come into force in January, were published on Thursday following months of negotiations. The PCI DSS 2.0 standard, which specifies the "security rules" under which merchants and banks are supposed to process credit card transactions, contain only minor …
The previous version (1.2) was introduced in October 2008 - most people have been complaining that the obvious gaps (eg virtualisation) haven't been addressed before now.
The real problem with PCI-DSS is that it focuses too much on technology, ignoring Schneier's Dictum: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."
"Reports show high rates of non-compliance
The fact that we take credit card payments but don't store the credit cards numbers utterly confused ePDQ's recommended PCIDSS consultant.
Also, is a person's name "personally identifiable information"? Ignoring the grammatical ambiguity, it obviously is BUT we're talking about credit cards here. It only matters if it's stored with a credit card number. Otherwise it's just normal data protection act stuff.
If the payment molochs would change the payment model so that the customer is guaranteed the merchant's wares and the merchant is guaranteed the customer's money without the burden of having to sit on very privacy sensitive data, they'd do something useful for the market for a change. So far they're just the middle men and yet another costly threat to privacy. These rules only make the whole excercise more costly, but don't do anything fundamental about the weaknesses inherent in the system.
Not finished reading in detail, but it looks like the new guidelines might make it possible to comply with PCI-DSS while running a IPv6 network. The old system used to mandate RFC1918 space - specifically RFC 1918, so you couldn't even use site-local space under IPv6.
The new 1.3.8 is a big improvement, you just have to not disclose private IP addresses and routing information.
The whole PCI thing is a total farce.
For a start, they don't make clear that if your site uses a remote payment gateway that is PCI-compliant (such as Paypal web site payments standard, SagePay VSP Form, etc.), then your site is effectively exempt from PCI compliance and you don't need a PA-DSS certified cart.
This is important because PA-DSS certified carts are expensive and so without a clear alternative to them, many small merchants simply hide rather than adopt a payment system which would exempt their site from PCI compliance, and make the card data safe (which surely is what the payment card industry claims to want?).
It is also farcical that the requirement for merchants who DO process or transmit card details to have a PA-DSS certified cart can be put aside if you use a 'custom built solution'. Think about that. If you use an off-the-shelf system built (presumably) by people with some professional experience, it has to be certified or you cannot use it. But if you build a half-arsed site yourself with all manner of schoolboy security errors, you're fine to use that without any specific testing on it.
The whole thing is a total self-defeating nonsense. They had an opportunity to encourage the bulk of smaller web stores into safer processing solutions, and failed spectacularly.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
