Business Owners Must Embrace New PCI Standard To Keep E-Commerce Flowing Though intended to bolster security and confidence in e-commerce transactions, the new Payment Card Industry standard also requires a significant investment from most businesses.

While most businesses have done an adequate job protecting customer information, there have been a number of higher profile cases where outsiders were able to access and abuse confidential data. In response, financial companies crafted standards to close these openings and mandated that small and midsize businesses adhere to the new standards or risk their e-commerce operations.

In the past few years, high profile data thefts have occurred at TJX, Hannaford Bros., Montgomery Ward, Countrywide, and Citibank. Not only did these transgressions cost the companies millions in tangible and intangible ways, they also cast a chill over all online purchases and caused many businesses and consumers to pause before hitting the Enter key to complete their online transactions.

To assuage such fears, the Payment Card Industry (PCI) Security Standards Council, whose founders include American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa International, established various standards for online transactions. The PCI Data Security Standard (DSS) is the cornerstone in the initiative: it mandates that companies build secure networks, protect stored cardholder data, and encrypt all online transactions.

The first, flawed version of the standard made its way to market in 2007. Now, a second version of the standard has been announced. The new specification clarifies the wording in the previous version and extends a few features.

One term that needed clarification was "strong cryptography." Undefined in version 1.1, PCI Data Security Standard 1.2 specifies strong cryptography as Triple-DES 128-bit or AES 256-bit encryption. Another outstanding question was PCI DSS applicability to paper-based information; version 1.2 clarifies that the standard applies to both electronic and paper media containing cardholder data. For businesses that interpreted version 1.1 as applying to electronic media only, this means expanding the scope of compliance work.

Version 1.2 also includes new requirements for firewalls. Businesses must protect all public-facing Web applications with application-level firewalls and it shifts the periodic review of company firewall rules from every 90 days to every 180 days. The PCI Security Standards Council changed the control timeline to align better with a typical organization's risk management policies.

Wireless connections also were subject to lots of attention in the updated standard. WEP security features are no longer sufficient; the council wants companies to use stronger encryptions. After March 31, 2009, new WEP implementations will not be allowed and businesses must discontinue current WEP implementations by June 30, 2010. In place of WEP, businesses will need to protect wireless transmissions using products that comply with the IEEE 802.1x standard, requiring an equipment upgrade for some companies.

For small and midsize business owners and managers to comply with the new PCI DSS standard, they must first have a firm grasp of the requirements and then check to ensure that company systems adhere to the specification.

Though intended to bolster security and confidence in electronic commerce transactions, the new standard also requires a significant investment from most businesses. But small and midsize businesses don't have a choice. Major payment brands, including MasterCard and Visa, have adopted PCI DSS as a requirement for organizations that process, store, or transmit payment cardholder data. That means that all merchants, no matter how small or large, need to comply with the standard.

The threat to online transactions is so great the major financial players have moved to establish standards to decrease the likelihood of problems. If they want to keep their e-commerce transactions flowing, small and midsize businesses need to understand and adopt these standards.

See more columns by Paul Korzeniowski.

Paul Korzeniowski is a Sudbury, Mass.-based freelance writer who has been writing about networking issues for two decades. His work has appeared in Business 2.0, Entrepreneur, Investor's Business Daily, Newsweek, and InformationWeek.