Sunday, April 22, 2007

First Data security chief calls for changes in security standard

See this article in information news here that outlines that:
First Data has a hard time becoming compliant with the Payment Card Industry Data Security Standards (PCI DSS). First Data has spent quite some money on compliance initiatives to lock down systems from hackers trying to gain access to the constant stream of credit card data that passes through the company's massive systems. Mr Mellinger of First Data calls it an uphill battle since attacker methods are growing in sophistication and attacks come in so many forms.

Deadlines have been set for merchants to prove compliance by the end of the year. But so far industry estimates show that more than 60% of merchants fail to meet the current standards. Thus, Mellinger, who developed the precursor to the current PCI DSS rules, is calling for an overhaul to eliminate subjectivity and ease restrictions to get more merchants to meet the standard. "I would rather they set the bar lower and then raise it once more merchants have complied," Mellinger said. "The more people we can get compliant, the better off we are."

Mellinger is also calling for a PCI DSS status directory in which compliant merchants and processors are publicly listed. Opponents say such a directory could be used by hackers to find vulnerable companies to attack. But Mellinger insists that it would reward businesses that are compliant and get others to move faster on compliance projects.

Well, life ain't always easy if you want to move transactions around. I think some day we will look back on this and actually be astonished by how we did it old-school style (with hardly any protection at all).