- Bargaineering - http://www.bargaineering.com/articles -

New Credit Card Security Rules

Following the very public credit card related security breaches of last year, a Payment Card Industry data security standard [3] (developed by MasterCard and VISA) was put into place and companies were required to comply by June 2005. This summer, that security standard will receive an update and some of the changes worry me a little.

Originally companies only needed to scan their networks for vulnerabilities and verify that there are no security holes. This requirement has been bolstered by an additional requirement that companies scan the payment software applications too, by 2008. This is a plus.

One change that worries me is that the PCI will now permit different ways of protecting your information, other than encryption. Originally, all your data would be encrypted so if a thief were to steal a laptop, the information would be safe. Now, the PCI will let companies use other methods of protecting your information such as firewalls. So, if someone cracked the laptop or breached the firewall, it’d be Christmas for them. This is a very very bad idea.

The only “defense” the proponents of the weaker encryption rules is that older machines sometimes can’t handle the encryption. I think the credit industry makes enough money from the billions and billions of transactions that they could replace older machines with ones that can handle something as mundane as encrypted data. (Or the government should fine them whenever a breach occurs so that it’s financially correct to use encryption, either way is fine) That’s a pathetic reason to remove something as simple as encryption.

via news.com [4].