Computer Crime Research Center


Merchants unsecure, poll

Date: December 28, 2005

A poll released by Protegrity Corporation, a provider of data security management solutions, found that Payment Card Industry Data Security Standard (PCI) compliance is severely lagging at merchants of all levels despite a growing Internet fraud rate.

During a recent Protegrity webcast on "Accelerating PCI Compliance: Real World Experiences and Strategies" featuring Intuit, respondents were asked what is the status of their PCI compliance efforts, 45 percent said they are in the very early stages of the compliance process, while 19 percent said they have not passed their initial assessment. Only 3 percent said they have passed an assessment.

According to the 7th Annual CyberSource Fraud survey, dollar losses from e-commerce fraud continued to mount for merchants. In 2005, total losses to online fraud will exceed $2.8 billion, up from $2.6 billion in 2004, with large and midsize merchants finding the issue most difficult to address.

To meet the PCI standards merchants of all sizes are required to:

1. Install and maintain a firewall configuration to protect data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

3. Protect Stored Data.

4. Encrypt transmission of cardholder data and sensitive information across public networks.

5. Use and regularly update anti-virus software.

6. Develop and maintain secure systems and applications.

7. Restrict access to data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

12. Maintain a policy that addresses information security.

Merchants and providers who do not comply may receive fines and/or face restrictions - or in severe cases, be prohibited from accepting credit card(s).
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo