PCI-DSS certification still require improvements

PCI DSS 3 is to be announced in November with some changes and upgrades to be expected but it seems that there are still queries regarding the effectiveness of PCI in protecting consumers from fraud.

The PCI Security Standards Council has highlighted various areas that require improvement including: easier mechanisms for compliance and implementation, flexibility, better guidance and education, in general and regarding passwords, and security to be viewed as a collective responsibility.

This being said, there are several opinions that insist on exploring avenues aside from PCI Security Standards in order to provide adequate safety for e-consumers.

“Industry businesses know plenty about Obligations Obligations In finance, an obligation is a financial responsibility where the terms of a contract must be met. Should an obligation between parties fail then the party who is at default may face legal action. In this scenario, the guilty party will not only have to agree to pay the set amount to fulfill the contractual arrangement but may also be responsible for covering all legal proceedings cost. Routine payments or outstanding debt of any kind are considered financial obligations, so if someone owes you In finance, an obligation is a financial responsibility where the terms of a contract must be met. Should an obligation between parties fail then the party who is at default may face legal action. In this scenario, the guilty party will not only have to agree to pay the set amount to fulfill the contractual arrangement but may also be responsible for covering all legal proceedings cost. Routine payments or outstanding debt of any kind are considered financial obligations, so if someone owes you Read this Term to protect cardholder information by complying with PCI mandates but many are not aware of legal requirements to keep their customers” (i.e., merchants’) personal information secure,” says attorney, Holli Targan, In Electronic Payments Law.

She explains that merchants in the US, whether they are aware of it or not, are expected to abide by Federal and State law regarding PII (personally identifiable information). PCI cannot be the only consideration and, each state has its own laws which need to be checked. For example, under California law, merchants must shred (destroy) PII, Merchants must have security to guard against stolen data and, a third party in possession of PII must also have adequate security. In addition to this, State data security breach laws say that a data breach or hint of misused information must be reported to consumers and in some states, to the Attorney General – A serious situation for any merchant who finds himself in this position.

Another grievance, directed mostly towards Mobile payment by Michael Aminzade, director of delivery for EMEA and APAC at Trustwave, is that the "lack of requirements around Risk Management Risk Management One of the most common terms utilized by brokers, risk management refers to the practice of identifying potential risks in advance. Most commonly, this also involves the analysis of risk and the undertaking of precautionary steps to both mitigate and prevent for such risk.Such efforts are essential for brokers and venues in the finance industry, given the potential for fallout in the face of unforeseen events or crises. Given a more tightly regulated environment across nearly every asset class, One of the most common terms utilized by brokers, risk management refers to the practice of identifying potential risks in advance. Most commonly, this also involves the analysis of risk and the undertaking of precautionary steps to both mitigate and prevent for such risk.Such efforts are essential for brokers and venues in the finance industry, given the potential for fallout in the face of unforeseen events or crises. Given a more tightly regulated environment across nearly every asset class, Read this Term within PCI DSS creates a huge area of risk that needs to be addressed" Outlaw.com.

He points out that Trustwave reports found 400% more incidents of malware in Android operating system in 2012 compared to the previous year and calls for PCI DSS3 to comprehensively explain: the qualifications needed to conduct risk assessment, risk assessment areas of need, how they are to be conducted and specification around who, within an organization is permitted to undertake internal risk reports.

He insists that the current status of risk assessment outlined by the PCI Security Standards Council is less than adequate for the purpose of protecting merchants from malware and other cyber-attacks, nor for the purpose of securing the end-users