New Software Standards Could Stifle Credit Card Thieves
Hop onto the Dark Web, and you'll be able to buy millions of credit card numbers, as hackers and thieves continue to thwart systems and steal consumer information. However, an industry council hopes that by publishing new payments software security standards, the tide of stolen information could ebb.
Now, in an effort to slow down or perhaps even stop the number of breaches that result in credit card theft, the PCI Security Standards Council is updating its decade-old software standards called PCI Payment Application Data Security Standards (PA-DSS) used by vendors who create payments software.
The council recently published a new PCI Software Security Framework (PCI SSF), containing both the PCI Secure Software Standard (PCI SSS) and the PCI Secure Software Lifecycle (PCI Secure SLC). This collection of standards will allow software developers to ishow that their software will protect the data that flows through it, minimize the vulnerabilities that hackers exploit and protect against attacks when they occur. Software vendors will also be able to show that they're able to implement security management throughout the lifecycle of their software.
"I was particularly pleased to see the emphasis on integrating security into the software development process rather than attempting to assure security by after-the-fact testing," said Steve Lipner, executive director of the Software Assurance Forum for Excellence in Code (SAFECode), in a statement
PCI SSC interviewed its chief technology officer Troy Leach, who said that the new standards address the fact that software development practices are different than they were in 2008, so the standards provide "an alternative approach for assessing software security. The PCI Software Security Framework introduces objective-focused security practices that can support both existing ways to demonstrate good application security and a variety of newer payment platforms and development practices."
The standards hope to protect the integrity and confidentiality payment transactions and their data on a variety of platforms, many of which, such as mobile and wearable payments, weren't around when the last standards were developed.
"Innovation in payments is moving at an incredible pace. Each advancement provides the industry the opportunity to develop applications more quickly and efficiently than before and to design software for new platforms for payment acceptance," said Leach in a statement. "The new PCI Secure Software Standard and PCI Secure SLC Standard support this evolution in payment software practices by providing a dynamic way for developers to demonstrate their software protects payment data for the next generation of applications."
Even though EMV chip cards were supposed to curb credit card theft--and Visa says that merchants who have upgraded to this technology have seen their counterfeit fraud dollars decrease by 80 percent in the three years since EMV was first introduced--the Dark Web is still flooded with stolen credit card numbers.
Last year, Gemini Advisory found that 60 million US payment cards had been compromised in a twelve-month period. Seventy-five percent of these were stolen from card-present payments, the exact type of fraud EMV is supposed to stop. While the card-present fraud exists because many merchants still haven't upgraded their payment terminals, card-not-present fraud--i.e.--online payments--is also on the rise, with hackers targeting e-commerce sites to steal consumer card information.
While it's a step in the right direction, that step will be a while in coming. The new PCI standards and their validation and qualification programs will be launched later this year. However, much like the long period of time that EMV went through in order to achieve integration, the current PA-DSS will be supported until 2022, when it will be fully phased out.