The major credit card companies are planning an update to the Payment Card Industry security standards to protect customer information shared with third-party processors or sent across the Internet.
A Visa U.S.A. spokesman confirmed Friday that the update is in the works, and several industry observers said the update is likely to be announced by September.
The PCI standard is used by Visa, MasterCard Inc., Morgan Stanley's Discover Financial Services, American Express Co., and JCB Co. Ltd.
Though the standards have been in place for more than a year, compliance by merchants, especially small ones, is still relatively low. Visa sent small and midsize restaurants a security alert last week reminding them that they must adhere to the standards if they accept payment cards, and one recent survey found that many small businesses are unaware of the standards.
Christopher J. Novak, a principal consultant for CyberTrust Inc., a Herndon, Va., security company that performs PCI compliance assessments, said card companies are trying to update the rules for Internet applications, because many companies are "bringing a lot more of the day-to-day activities and operations" on to the Web.
Hackers are not targeting the networks' infrastructure, which have been in place for a long time and are considered both stable and secure, Mr. Novak said. Instead, "a lot of hackers are targeting the Web applications."
Many of the applications that merchants and processors use to move, store, and handle customer data are updated and modified frequently. Failing to keep up with these changes can create back doors for criminals who can exploit systems that are not up to date.
Third-party security is another important issue the card companies are likely to address, Mr. Novak said.
"We're moving to a much more open model where information is shared on a regular basis," he said. For example, many companies outsource their call centers. "Obviously, there is concern over the security surrounding these call centers. If they are not your own call centers, it can be a little more challenging to understand what security procedures and policies are in place at those particular facilities."
Chris Noell, the founder and chief executive of the Austin security consulting company TruComply LLC, said the card companies also plan to require vendors' payments software to comply with the standards within two years. Following those standards is currently optional for the vendors.
Requiring the vendors to follow the standards would "be good news for the merchant and banking communities," Mr. Noell said. "If the underlying payments application is noncompliant, what do you do? It's pretty difficult to achieve PCI compliance."
In the meantime, Visa has noticed a spike in fraud at small and midsize restaurant point of sale terminals. These businesses are often less security-minded than larger companies, and in many cases they are unaware that their terminals can be a weak point in their security.
Martin Elliott, a vice president of emerging risk for Visa, said in an interview that there has been a "trend" of improperly "configured" terminals at small and midsize restaurants.
The main problem: Many restaurants use software that stores magnetic stripe data, also called PIN blocks, so the systems are a tempting target for criminals, who can use that information to create fake automated teller machine cards. Also, some merchants lack even basic security features, such as firewalls.
Visa's security alert included eight strategies for reducing the risk of data breaches, including using properly configured firewalls, creating unique passwords that are difficult to guess, separating terminals from other online functions, such as e-mail and Web browsing, and not storing PIN blocks.
"If you're not storing track data, you've done wonders to prevent a breach," Mr. Elliott said. "If you break into an empty house, there's nothing to steal."
Mr. Noell said that small and midsize businesses may not even be aware of the standards that they are required to follow; in a recent phone survey of 1,000 companies, most with annual revenue below $10 million, more than 90% of executives said they were unaware that the PCI standards existed.
The questions were designed to evaluate people's basic understanding of the requirements, he said.
"The reaction we got was 'PCI what?' " Mr. Noell said. "I think it's very easy to overestimate" the value of having a standard in place. "It's easy to assume that everyone is aware of it and is working towards it. We've definitely found that not to be the case."
Even when merchants take appropriate precautions and have properly installed systems, they can fall out of compliance easily if they do not keep up with the frequent security updates, he said.
"It's one thing to install it in a compliant fashion," he said. "It's another thing to actually maintain your environment in a compliant fashion. That's a much more difficult challenge."
Though the news media generally focuses on security breaches at large companies, any company with poor security can be a target for a fraudster, Mr. Noell said. "Even a relatively small merchant can have a whole lot of financial data. That's what makes them such attractive targets."
Mr. Elliott said that the number of breaches at small and midsize restaurants "was significant and warrants education," but it was not a "four-alarm fire."
Still, the alert should serve as a warning to everyone, he said. Though it was sent to small and midsize restaurants, "larger merchants should take notice of this alert as well, because if your systems are configured improperly or without some of these basic best practice controls, then you could be the next big guy with a problem."
