[WEB SECURITY] PCI standards regarding appsec to change again?

Dave King davefd at davewking.com
Tue Jun 27 12:37:29 EDT 2006

Besides not allowing sites to accept credit cards, hitting the pocket
book is another way to encourage people to comply.  For example
according to

"Members are subject to fines, up to $500,000 per incident, for any
merchant or service provider that is compromised and not compliant at
the time of the incident."

Also, if you are compromised then you automatically become a level 1
merchant and would have to do yearly on site audits after that.  That
can be pretty pricey for a company that was a level 2, 3, or 4 previously.

Recently several banks and credit card processors are requiring PCI
compliance or they won't allow the merchant to process credit cards.  It
seems that this is happening more to new companies that want to start
processing credit cards than companies that are already established
though.  I do agree that more needs to be done.  It seems like measures
such as huge increases in discount rates or as you said not allowing
merchants to accept cards at all if they're not compliant.

Dave King

> While the current PCI standard is winning some praise for its
> straight-forward approach, it still lacks teeth because it is not
> legally enforceable.  The only leverage here is customer trust, which
> may not be enough by itself.  When you look at the news article that
> Arian referenced, you will notice that the writer uses passive terms
> of enforcement.  Look at this passage -
>     /Credit card companies Visa and MasterCard *will push* large
>     merchants to verify that they do not store magnetic-strip, or
>     "track", data, and *will encourage* ISVs to fix payment
>     applications that do store the data, said Martin Elliott, director
>     of corporate risk and compliance at Visa. /
> Wow, they will push and encourage, huh?  The visual image I have is of
> someone trying to pull a stubborn donkey by the reins.  There needs to
> be consequences if a retailer does not comply.  The problem is that
> the only thing that would get the retailers attention would be if
> Visa/Mastercard would pull their account and not let the retailer use
> their cards.  If CompanyX could only accept Diner's Club cards because
> they weren't PCI compliant, that would get their attention.  The
> Catch-22 here is that Visa/Mastercard will most likely not take this
> stance because it would effect their bottom line.
> Oh the Almight Dollar wins again...
> -- 
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> Author: Preventing Web Attacks with Apache

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list