IMGCAP(1)]
Bob Russo, general manager of the United States-based Payment Card Industry Security Standards Council, rates the European response to the PCI data-security standard as "very good." Some resistance to the standard arose in Europe because merchants there believed their use of chip-and-PIN security measures protects consumers' personal data from theft, he says. But even proponents realize chip-and-PIN cards have shortcomings, Russo maintains. The cards contain a computer chip for security and require the cardholder to enter a personal identification number on a keypad. Chip-and-PIN "knocks the fraud numbers down in the face-to-face incidents, but the fraud just moves to card-not-present," Russo says. The council, which manages transaction-security standards, is continuing its efforts to persuade European merchants to meet deadlines for complying with the rules, he notes. In other news, the council has certified approximately 15 qualified security assessors in Japan. Assessors perform on-site PCI audits for merchants. Meanwhile, with Version 1.2 of the PCI security standard four to six weeks from release, the council this week published a summary of what to expect. "This version is still being updated and tweaked as we get closer to the release date," says Russo. The update clarifies requirements laid out earlier, he says. The organization decided to release a summary of the changes "so we don't have people coming back to us when it's released saying they were unaware of what was coming," says Russo. The most significant change in version 1.2 concerns wireless terminals and wired equivalent privacy, or WEP. WEP is intended to secure wireless networks, but experts have found flaws since its introduction in 1999. The most celebrated data breach involving WEP happened at U.S.-based TJX Cos. Inc. in 2006. Version 1.1 of the PCI standard declared WEP inadequate on its own for wireless networks handling payment card data. However the council said Wi-Fi-protected access (WAP) was acceptable on its own for handling card data. The update says "new implementations of WEP are not allowed after March 31, 2009," and "current implementation must discontinue use of WEP after June 30, 2010." Russo says merchants have time to make the change.
