|  Home   |  Forums   |  News   |  Blog   |  Reviews   |
 Satellite   Digital TV   IPTV   Cable   HDTV   Computers   Apple   Games   Mobile Phones   Broadband   Internet   Security   Telecoms   USB   VoIP   Wireless   Science 

December 23, 2010

PCI DSS 2.0 security standards concerns raised

Bookmark and Share

by Brian Turner

Concerns have been raised that online businesses are not well enough prepared for PCI DSS compliance, which aims to protect customer banking data.

It comes after news that New York-based travel firm, CitySights, had its website hacked by a SQL injection attack, allowing authorised access to 110,000 customers’ banking details.

The hacker launched the attack over a three week period, and was able to obtain customer credit card details, including account number, expiration date, CVV2, and other personal identifying information such as home and email addresses.

Amichai Shulman, chief technology officer for Imperva, investigated the attack on CitySights, and found an Indonesian hacker’s blog listing numerous websites vulnerable to attack, including the site of CitySights.

Shulman’s security team has suggested that CitySights could likely be in breach of PCI DSS.

PCI DSS is a security demand of major credit card companies, not least Visa and Mastercard, which mandates security controls to prevent the storage of unencrypted credit card data.

It also demands that any credit card data is broken up and stored separately, to make it harder for any unauthorised attacker to collect both credit card numbers and CVV2 (the three digits on the back of the card) at the same time.

Meanwhile, research by Infosecurity Europe has revealed that 30% of IT managers and directors with major UK retailers remain unaware, or only partially aware, of PCI DSS compliance regulation.

Only 36.2 per cent of respondents to the survey knew that PCI DSS 2.0 includes significant changes regarding an organisation’s network architecture and virtualisation.

According to Claire Sellick, event director with Infosecurity Europe, “What we have from the results of this LogLogic poll is that some of the IT managers with largest retailers in the UK - i.e. those with more than 50 outlets – just don’t `get’ what the PCI DSS 2.0 is all about, or the potential serious repercussions to their business of not being able to pass an audit. If anyone should know about the issues involved, then it should be them,” she said.

“The fact that the majority of them are doing their jobs, apparently blissfully unaware of the security requirements of the PCI Security Standard Council’s rules as regards their IT architecture, is of phenomenal concern,” she added.

The provisions of PCI DSS 2.0 mean that an organisation that cannot demonstrate it is operating within the rules to an auditor from the PCI Security Standards council could find itself unable to accept debit and credit cards for online payments.

Story link: PCI DSS 2.0 security standards concerns raised

Discuss this in the Techwatch Forums

Special offers on iPhones

Related news to "PCI DSS 2.0 security standards concerns raised"

1 Comment »
  1. I think the reason why the percentage is alarming is because PCI DSS is not being enforced properly. The PCI Council is assuming that everybody will be aware of the Regulation through the acquirers or other organizations.
    I can give a very good example; I work in an independent retail industry and have supported at least 1000 stores across the nation. It’s very sad to know that every person you talk to that’s suppose to educate the retailers has different interpretation of what really PCI DSS is all about. Not to mention that the reaction I get from retailers every time I tried to educate them about PCI DSS.
    It’s also sad to say that out of 1000 independent retailers that I have dealt with, none of them as in NONE is even close to being in the direction of PCI DSS Regulation. Unfortunately, the way how they respond is “Well, I don’t think we’re going to get hit since we’re small.” Or “Well, I’ll wait until I am asked to do it by PCI or until something happen to their next door neighbor.”
    It’s sad, it really is… I think PCI DSS has to hit every single merchant who’s taking electronic payments for at least a validation check to see if they’re in the process of being in compliant. I think companies who’s providing solutions or dealing with any merchant should be included on the regulations.

    Comment by Russell — December 23, 2010 @ 10:07 pm

Leave a comment

Connect with Facebook

Previous: «
Next: »

Visited 2226 times, 20 so far today