Last week the PCI council announced its new chairperson among plans for a new certification.
Alongside these announcements, the PCI Security Standards Council (PCI SSC) confirmed its key aims for 2012 as:
- Engaging the PCI community with new opportunities for participation and a dedicated period for collecting and sharing feedback
- Delivering guidance on ecommerce security, cloud computing and risk assessment through PCI SSC Special Interest Groups (SIGs)
- A continued focus on technologies that offer PCI-DSS scope reduction for merchants, including point-to-point encryption and tokenisation
- Expanding the current PCI SSC training programme to continue to increase payment card security expertise globally.
Perhaps a priority for the council should be to promote version two of its requirements. Initially announced in August 2010, the requirements became apparent in January 2012, and as research proved, some respondents were completely unaware of the changes even then.
I spoke with Anthony Hall, IT manager of Move With Us, who was talking to SC Magazine along with security vendor Quarri Technologies, a provider of secure session software that prevents data being copied or printed from a browser and clears the cache at the end of a session.
In this instance, Hall said that credit card payments are taken and entered on the screen, so the solution secures the data and stops the employee printing the screen. “We opened our eyes to the risk of loss and while using Quarri, you can open another tab, so we have rolled it out to 45 of our 350 staff,” he said.
“From a personal point of view, compliance is something that we have got to be better at and, with regard to Quarri, we can say using it ticks boxes, but we do not replace anything with manual checks. By deploying Quarri, we have made a massive step towards achieving it.”
Laurie Coffin, vice-president of marketing at Quarri Technologies, described Quarri as security software that enforces a session on the browser and, with customers mainly in financial services, it prevents the employee from replicating the data as they cannot capture any details.
She said: “On some applications an employee can print a replication of the data but this is a secure browser layer that deletes the cache at the end of the session. The data is entered into the browser and you can see the data, by using us it will empty the cache at the end of the session. I think that it is difficult to achieve compliance as the guidelines are not specific, they are designed to figure out what to do and can be used to be compliant.”
I asked Hall if he felt that it was possible to be compliant, and he said that without paying for it, it is very much about protecting data. He said: “Often compliance guidelines are not put across, you get something to tick a box but there is an impression of guidance on how to secure, there is a real feeling that the responsibility is placed upon the end-user.”
Compliance is never going to be easy, but guidelines are there to be followed and determined by businesses, and the reason it is difficult is to make it a challenge to achieve. Perhaps more communication from those determining the guidelines will clear the blurry lines a little.