PCI Security Council mulls response to retail malware attacks
The next version of the PCI DSS standard for securing credit card data is likely to require or strongly urge merchants to invest in tokenization, encryption and dynamic authentication, according to two of the council’s most senior members.
Attacks on Target, Kmart, Home Depot, Staples, Neiman Marcus and Dairy Queen have brought the security practices of retailers into sharp focus and has led some analysts to argue that the bar for PCI compliance – as a baseline of IT security for those that hold credit card data – needs to be raised.
The breach at Target left 40 million cardholders vulnerable, while attacks on Home Depot’s systems exposed closer to 56 million cards, at huge cost to issuers. Trustwave, the PCI auditor of Target, was threatened with a lawsuit by affected issuers over the matter.
The breaches have put considerable pressure on the council that sets the Payments Card Industry Data Security Standard, which is made up of representatives of the major credit card schemes (American Express, Mastercard, Visa et al) and volunteers from within the financial services and retail industries.