IMGCAP(1)]
The lack of major changes in version 1.2 of the Payment Card Industry Data Security Standard, which the PCI Security Standards Council released yesterday, gives entities that barely comply a chance to "catch up," according to one PCI-security expert. David Taylor, a consultant and founder of the Web site PCI Knowledge Base, a clearinghouse of PCI-related research and commentary, tells CardLine sister publication Cards&Payments several card-accepting merchants admitted to his researchers during recent anonymous interviews that they withheld from qualified security assessors information that might hurt their chances of receiving PCI-compliance validation. Others say they used compensating controls that just barely brought their payment systems into PCI compliance. Taylor says he understands the difficulty merchant information-technology professionals face in trying to procure funding for security upgrades from upper-level management that often does not understand the need to budget time and money for continual payment system security monitoring and upgrades. The lack of major changes to the standard has led to "a tone of relaxation" among some merchants, processors and acquirers, he adds. Instead of relaxing, merchants should "take advantage of the fact that it's not a major release to go back and fix the stuff you didn't do right the first time," Taylor suggests.
