Vulnerability Alerts
SANS
 
Microsoft
 
CERT/CC
 
 
Latest Comments
"I feel it with you guys. These irritating interruptions on privacy MUST be stopped. It is a ..."
on Yahoo and Microsoft take aim at lottery scams
by Jan Wilmans | Dec 2, 2008 7:11 PM
 
"My AVG WILL NOT UPDATE"
on AVG update deletes critical Windows file
by James Downs | Dec 2, 2008 5:58 AM
 
"Concerned man's comments seem to intimate that if I'm using agents all will be well but the ..."
on Shavlik Technologies to broaden its patch management offerings
by Werner K | Nov 26, 2008 8:36 PM
 
"That will enhance Microsoft Office system, including SharePoint - good platform for enterprise ..."
on Companies have security to consider with in-the-cloud Office
by SGE | Nov 25, 2008 3:29 PM
 
"how many users allow per session? because the digital persona password manager allows only 10 ..."
on DigitalPersona Pro Workstation/Pro Server
by Daniel | Nov 25, 2008 12:14 AM
E-Commerce Security

Retail lobby offers alternative to PCI standard

  • Email a Friend
  • Print Page
Retail lobby offers alternative to PCI standard
Related Articles
By Dan Kaplan
Oct 8, 2007 10:20 AM
Tags: Retail | lobby | offers | alternative | to | PCI | standard
In a letter to PCI Security Standards Council, General Manager Bob Russo, the chief information officer of the National Retail Federation, said parts of the PCI standard are only necessary because credit card companies require merchants to store numbers for retrieval requests, such as returns or charge backs.

"We believe the time has come to rethink the assumptions behind PCI," CIO David Hogan wrote in the letter. "Let me be clear. All of us – merchants, banks, credit card companies and our customers – want to eliminate credit card fraud. But if the goal is to make credit card data less vulnerable, the ultimate solution is to stop requiring merchants to store data in the first place."

The PCI Data Security Standard is a 12-step process for securing cardholder data. Requirements include encryption, access controls, monitoring and testing systems and processes for vulnerabilities.

Hogan proposed a plan in which credit card companies would allow merchants to only store authorisation codes and a truncated, or shortened, receipt of the sale. This would save them time and money associated with complex requirements such as encryption.

"The authorisation code would provide proof that a valid transaction had taken place and been approved by the credit card company, and the sales receipt would provide validation for returns or proof of purchase," the letter said. "Neither would contain the full account number and would therefore be of no value to a potential thief.”

Hogan said that when he proposed his idea a few months ago, he received a "noncommittal" response from a major credit card company, which he would not name.

Hogan said that even the basic account number – which is permitted to be stored under PCI, but must be protected by encryption – can lead to identity theft.

"You get rid of that, the incentive to hack almost disappears overnight," he said. "We're just trying to come up with a different model to protect the consumer. If I have a question about a particular charge, that should be between me and the credit card issuer."

The PCI Security Standards Council, in a statement, said Hogan "should be directing his concerns to those individual [payment] brands," but that the organisation planned a response.

Secure Computing Magazine

 
Ads by Google
Thoughts on this article? Add a comment below.
Be the first to comment on this article.

Report this comment as offensive:

   * Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.  
Name:
*
 
Email:
(will not be displayed)
*
 
Comment:
(HTML not permitted)
*
 
Validation
*

Enter the code you see below:

 

 
 
 
 
 
Tripwire - Click here to win an iTouch
 
 
Breaches & Exposures Whitepapers
 
Popular Tags
assess assessors avg card compliance credit deadlines free infected offers pci security service visa year