In the wake of headline-grabbing thefts of confidential data from large retail and financial institutions during 2008, the Payment Card Industry (PCI) Security Standards Council (founded by industry leaders like American Express, Visa and MasterCard) have revisited the Data Security Standards (DSS) established in 2007. Their findings have produced new, tougher guidelines, i.e. standards that will require many businesses –large and small—who are engaged in e-commerce, to make additional investments in their data protection systems.
Spurred by the need to shore up security and bolster consumer confidence in Web-based business transactions, the new measures, Version 1.2, will kick in after the first quarter of 2009, and will affect any company that uses e-commerce transactions. Compliance with the PCI standards will be virtually mandatory because the large credit card companies will require all merchants and businesses that process, store or transmit payment data on behalf of their cardholders to comply with the tougher PCI data security standards. In other words, if you want to continue to do e-business with the card holder companies you’ll need to meet the standards they set.
It is important that small business owners review the PCI Security Standards Council’s Version 1.2 requirements carefully, seeking the help of out-sourced technical experts—if needed—to make sure their systems are in line with the tougher specifications. Here’s an overview of the changes:
- The Standards Council has defined and clarified what the “strong cryptography”—referenced, but not defined, in its earlier report Version 1.1— should be. The 2009 standards define the required cryptography as “Triple-DES 128-bit” or AES 256-bit encryption.
- Businesses will be expected to use application-level firewalls to protect all public-facing Web applications. The timetable for scheduled reviews of firewall protection will change from every 90 days to every 180 days.
- Not surprisingly, wireless connections were scrutinized carefully and security requirements significantly enhanced in the new Data Security Standard Version 1.2. After March 31, 2009, new security implementations using WEP features will not be sanctioned, and companies currently using WEP will have until June 30, 2009 to upgrade to programs with stronger encryption. In place of WEP, the Security Council wants to see wireless transmissions protected by systems that meet, or exceed, the IEEE 802.1x standard.
Security threats to online transactions will continue to evolve. The money involved in making technology upgrades pales in significance to the cost of making restitution for stolen customer data - and the loss of public confidence in Web-based businesses. Today’s modern merchants have no option but to keep current and stay one step ahead of the data thieves.