New Credit Card Security Rules
Following the very public credit card related security breaches of last year, a Payment Card Industry data security standard (developed by MasterCard and VISA) was put into place and companies were required to comply by June 2005. This summer, that security standard will receive an update and some of the changes worry me a little.
Originally companies only needed to scan their networks for vulnerabilities and verify that there are no security holes. This requirement has been bolstered by an additional requirement that companies scan the payment software applications too, by 2008. This is a plus.
One change that worries me is that the PCI will now permit different ways of protecting your information, other than encryption. Originally, all your data would be encrypted so if a thief were to steal a laptop, the information would be safe. Now, the PCI will let companies use other methods of protecting your information such as firewalls. So, if someone cracked the laptop or breached the firewall, it’d be Christmas for them. This is a very very bad idea.
The only “defense” the proponents of the weaker encryption rules is that older machines sometimes can’t handle the encryption. I think the credit industry makes enough money from the billions and billions of transactions that they could replace older machines with ones that can handle something as mundane as encrypted data. (Or the government should fine them whenever a breach occurs so that it’s financially correct to use encryption, either way is fine) That’s a pathetic reason to remove something as simple as encryption.
via news.com.
Print Article
Email Article
Stumble It!
Bookmark
reddit.com
Tags:
| Related Posts |
Did you like this article? If so, you can get all the latest articles delivered to your email inbox for free each morning by entering your email address in the box below. Your email will only be used to deliver this once-daily subscription and you can unsubscribe at any time.
There are 4 comments, add your thoughts now!
What machine in the world can run a firewall but can’t do a little encryption??? Sorry, credit card companies, lame excuse. Try again!
There is some confusion here. I’ve been trying to type a comment to correct this but can’t figure out how to explain it.
It’s not simply a matter of Visa (and etc.) being too lazy to encypt data.
Credit card data is not kept on laptops. If by some chance some moron is it’s in violation of the rules whether or not it’s encrypted.
The whole CardSystems fiasco was the result of a third party storing information they weren’t supposed to… and then of course there was this story last year of how 80,000 DOJ worker’s credit card info was stolen (that prompted the stolen laptop comment).
Previous Article: « Internet Enabled Appliances Save Power
Next Article: Reappraise Your Home to Cancel PMI »