PCI DSS 3 is to be announced in November with some changes and upgrades to be expected but it seems that there are still queries regarding the effectiveness of PCI in protecting consumers from fraud.
The PCI Security Standards Council has highlighted various areas that require improvement including: easier mechanisms for compliance and implementation, flexibility, better guidance and education, in general and regarding passwords, and security to be viewed as a collective responsibility.
This being said, there are several opinions that insist on exploring avenues aside from PCI Security Standards in order to provide adequate safety for e-consumers.
“Industry businesses know plenty about obligations to protect cardholder information by complying with PCI mandates but many are not aware of legal requirements to keep their customers” (i.e., merchants’) personal information secure,” says attorney, Holli Targan, In Electronic Payments Law.
She explains that merchants in the US, whether they are aware of it or not, are expected to abide by Federal and State law regarding PII (personally identifiable information). PCI cannot be the only consideration and, each state has its own laws which need to be checked. For example, under California law, merchants must shred (destroy) PII, Merchants must have security to guard against stolen data and, a third party in possession of PII must also have adequate security. In addition to this, State data security breach laws say that a data breach or hint of misused information must be reported to consumers and in some states, to the Attorney General – A serious situation for any merchant who finds himself in this position.
Stocks to Watch This Week – Expedia Group, IncGo to article >>
Another grievance, directed mostly towards Mobile payment by Michael Aminzade, director of delivery for EMEA and APAC at Trustwave, is that the “lack of requirements around risk management within PCI DSS creates a huge area of risk that needs to be addressed” Outlaw.com.
He points out that Trustwave reports found 400% more incidents of malware in Android operating system in 2012 compared to the previous year and calls for PCI DSS3 to comprehensively explain: the qualifications needed to conduct risk assessment, risk assessment areas of need, how they are to be conducted and specification around who, within an organization is permitted to undertake internal risk reports.
He insists that the current status of risk assessment outlined by the PCI Security Standards Council is less than adequate for the purpose of protecting merchants from malware and other cyber-attacks, nor for the purpose of securing the end-users