Credit Card Security Standard Issued

alphadogg writes "The Payment Card Industry Security Standards Council, the organization that sets technical requirements for processing credit- and debit-cards, Wednesday issued revised security rules, while also indicating next year it will focus on new guidelines for end-to-end encryption, payment machines and virtualization. PCI adherence has been pushed big time in the industry to help avoid more big breaches such as the one involving TJX. Those familiar with the standard say it could be expensive to implement and that there are some things those using wireless LANs will need to pay especially close attention to."

Re:Any advancement?

[Nursie]

*very very very hard way to physically clone a CC/DC;

Done. Chip and Pin (or EMV as it should be known) makes it pretty impossible without an electron microscope.

* very very very strong encryption in communication;

Done. EMV cards use RSA to encrypt comms between themselves and the bank. Nobody else gets to read it. Online purchases are down to your e-tailer and their setup. Check your browser security bar.

* user-changeable authentication and authorisation, so it won't be enough to have just a copy of the data printed on the CC sides to make a purchase on internet.

You can easily change your PIN in a lot of places with EMV, and for online purchases there are now a lot of places using the "Verified by Visa" (or similar mastercard initiative) to take you through authentication directly with your card issuer, with a user-set password, before the transaction can take place.

The main problem with ALL of this is back compatibility and legacy systems. The moment you introduce all this good stuff but then say "but if it's not available then fall back to unverified, unencrypted, magnetic processing" then you've introduced the capacity for major fraud again.