Visa U.S.A. Inc. and MasterCard International Inc. will release new security rules in the next 30 to 60 days for all organizations that handle credit card data, a Visa official said this week.The rules will be the first major updates to the one-year-old Payment Card Industry (PCI) data security standard, which analysts said is slowly but surely being adopted.
Visa, MasterCard to unveil new security rules The updated PCI standard will cover Web apps, third-party controls, Jaikumar Vijayan, ComputerWorld 7 July 2006
So how well have the already-existing PCI requirements worked?
The number of companies complying with PCI requirements finally appears to be picking up after a slow start, several analysts said. Visa says that about 22% of Tier 1 merchants, which the company defines as those processing more than 6 million card transactions per month, are already PCI-compliant, with another 72% on track to becoming fully compliant.The numbers reveal that progress is being made, albeit slowly, said Avivah Litan, a Gartner Inc. analyst. One of the biggest technology challenges is PCI’s requirement for encryption, Litan said. Some companies are uncertain whether they’re required to encrypt data or can implement other compensating controls, she said.
-jsq
PS: Seen on Emergent Chaos, where cwalsh makes a good point that the credit card companies have to walk a careful path between alienating their customers and implementing new security measures. Still, see Avivah Litan‘s comments about security up front being cheaper than fixing an identity breach later. Then factor in reputation both ways: reputation for being hard to use or implement, vs. reputation for losing identities. Interesting calculation, or estimation. Sounds like risk management.