New scoring system makes credit card transactions a little more secureNovember 14th, 2007 - 10:19 am ICT by admin
For this purpose, they are using the Common Vulnerability Scoring System (CVSS) Version 2, software that assesses the severity of computer system security vulnerabilities.
The program was jointly written by researchers from the National Institute of Standards and Technology (NIST), Carnegie Mellon University, and 23 other organizations this year.
While making an electronic transaction, either by swiping a card at a checkout counter or by a commercial Web site, a customer has to enter personal payment information into a computer. The information then is sent to a payment-card “server”, a computer system often run by the bank or merchant that sponsors the particular card.
After processing the payment data, the server communicates the transaction to the vendor and authorizes the purchase.
Peter Mell of NIST, who is the lead author of CVSS Version 2, says that a payment-card server is like a house with many doors, where each door represents a potential vulnerability in the operating system or programs.
He says that attackers normally check whether any of the doors are open and, if they find one, they can take control of the entire server and steal financial information like credit card numbers.
Mell has revealed that for every potential vulnerability, CVSS Version 2 calculates its risks on a scale from zero to 10. It assesses whether a vulnerability could expose private information like credit card numbers, whether it could be used to shut down the credit card system, whether it can change credit card data etc.
As of now, payment card vendors use software that scans their systems for vulnerabilities. To promote uniform standards in this important software, the PCI (Payment Card Industry) Security Standards Council maintains the Approved Scanning Vendor (ASV) compliance program, which currently covers 135 vendors, including assessors who do onsite audits of PCI information security.
By June 2008, all ASV scanners will be using the current version of CVSS in order to identify security vulnerabilities and score them.
Bob Russo, General Manager of the PCI Security Standards Council, says that requiring ASV software to use CVSS promotes consistency between vendors and ultimately provides good information for protecting electronic transactions.
The council also plans to use NIST’s upcoming enhancements to CVSS, which will go beyond scoring vulnerabilities, to identify secure configurations on operation systems and applications. (ANI)
Tags: asv, card server, card vendors, carnegie mellon university, change credit card, computer system security, credit card numbers, credit card system, doors, mell, national institute of standards and technology, nist, payment card industry, pci, personal payment, transaction, version 2, vulnerabilities, vulnerability