Merchants now have another reason to safeguard the payments software they use to connect with the Internet, including, for example, such familiar applications as e-commerce shopping carts.
As of June 30, store operators became subject to Requirement 6.6 of the PCI Security Standards Council data-security standard, which states they must test their applications software for security flaws and protect it against common hacker attacks.
For ISOs, the vulnerability is real, especially because many ISOs deal with smaller merchants that lack big budgets for payments-network issues, says Troy Leach, PCI council technical director.
"We're seeing targeted attacks [against] applications," Leach says. "They're really becoming the most-popular methods for access and breaking into different types of retailers and merchants, especially among the less sophisticated Internet and e-commerce sites."
Since the data standard's release in January 2005, the part covering merchant-software testing has been a recommendation. The council delayed mandating the tests to give merchants time to prepare, Leach says.
A companion component of the data standard, requirement 6.5, spells out common attacks merchants should strive to thwart.
Leach says ISOs can take several steps to ensure their merchants are protected.
First, he says, they should evaluate all Web-facing applications to find out where they store sensitive cardholder data.
"If you can identify where, that is a significant step in the right direction," Leach says. "The key is to understand where the information is and what the application is doing for your business. Once you understand that, you can go ahead and protect that information and build security best practices around that."
Kris Lovejoy, director of strategy for security, governance and risk management at IBM, monitors payment-application software for retailers of all sizes. Merchants of any size lose if cardholder data is accessed surreptitiously, Lovejoy says.
For her, the question is what constitutes a reasonable plan to meet PCI data tests.
For smaller businesses, "their real question is not so much what do I need to do, but what is my outsourcing doing for me?" Lovejoy says.
Smaller merchants should remember that many state legislatures are talking about PCI compliance as a "safe harbor." If a state mandates compliance, a compliant merchant that experiences a breach could be protected from state penalties, though the card brands may assess their own fines.
Meanwhile, banks may look to merchants to pay for costs of issuing new cards, Lovejoy says. The average breach costs $350,000 to resolve, she adds.
Additionally, most small merchants do not view themselves as security experts, Lovejoy says, so they turn to outside firms for help.
The PCI council's Leach says the organization in September will publish a list of payment applications that comply with the PCI data-security standard.
The council also has created a searchable database of PCI experts, called qualified security assessors. Previously, only PCI council-approved companies were searchable. Adding individuals will help merchants verify a prospective vendor is qualified.
The council also is working on a quality-assurance program that Leach says will ensure all qualified security assessors are measuring up to the same standards.