New Scoring System Protects Credit Card Transactions

Nov 08, 2007
New Scoring System Protects Credit Card Transactions
NIST image, photos copyright Shutterstock.

As this year’s holiday season approaches, your credit card transactions may be a little more secure thanks to standards adopted by the payment card industry.

The latest incarnation of these standards include the Common Vulnerability Scoring System (CVSS) Version 2 that was coauthored this year by researchers at the National Institute of Standards and Technology and Carnegie Mellon University in collaboration with 23 other organizations.

When you make an electronic transaction—either swiping a card at a checkout counter or through a commercial Web site—you enter personal payment information into a computer. That information is sent to a payment-card “server,” a computer system often run by the bank or merchant that sponsors the particular card. The server processes the payment data, communicates the transaction to the vendor, and authorizes the purchase.

According to NIST’s Peter Mell, lead author of CVSS Version 2, a payment-card server is like a house with many doors. Each door represents a potential vulnerability in the operating system or programs. Attackers check to see if any of the “doors” are open, and if they find one, they can often take control of all or part of the server and potentially steal financial information, such as credit card numbers.

For every potential vulnerability, CVSS Version 2 calculates its risks on a scale from zero to 10, assesses how the vulnerability could compromise confidentiality (exposing private information such as credit card numbers), availability (could it be used to shut down the credit card system?) and integrity (can it change credit card data?). The CVSS scores used by the credit card industry are those for the 28,000 vulnerabilities provided by the NIST National Vulnerability Database (NVD), sponsored by the Department of Homeland Security.

To assess the security of their servers, payment card vendors use software that scans their systems for vulnerabilities. To promote uniform standards in this important software, the PCI (Payment Card Industry) Security Standards Council, an industry organization, maintains the Approved Scanning Vendor (ASV) compliance program, which currently covers 135 vendors, including assessors who do onsite audits of PCI information security.

By June 2008, all ASV scanners must use the current version of CVSS in order to identify security vulnerabilities and score them. Requiring ASV software to use CVSS, according to Bob Russo, General Manager of the PCI Security Standards Council, promotes consistency between vendors and ultimately provides good information for protecting electronic transactions. The council also plans to use NIST’s upcoming enhancements to CVSS, which will go beyond scoring vulnerabilities to identify secure configurations on operation systems and applications.

To learn more, see:

CVSS Web site: www.first.org/cvss
National Vulnerability Database: nvd.nist.gov

Source: NIST

Explore further: Ride-sharing could cut cabs' road time by 30 percent

add to favorites email to friend print save as pdf

Related Stories

Sharks off the menu and on the tourist trail in Palau

39 minutes ago

In many places swimmers might prefer to avoid sharks, but wetsuit-clad tourists in Palau clamour to dive among the predators thanks to a pioneering conservation initiative that has made them one of the country's ...

Single laser stops molecular tumbling motion instantly

59 minutes ago

In the quantum world, making the simple atom behave is one thing, but making the more complex molecule behave is another story. Now Northwestern University scientists have figured out an elegant way to stop a molecule from ...

Top South America hackers rattle Peru's Cabinet

1 hour ago

The Peruvian hackers have broken into military, police, and other sensitive government networks in Argentina, Colombia, Chile, Venezuela and Peru, defacing websites and extracting sensitive data to strut ...

Great Barrier Reef dredge dumping plan could be shelved

1 hour ago

An India-backed mining consortium could shelve controversial plans to dump dredging waste in the Great Barrier Reef, with alternative sites on land being considered amid growing environmental concerns, Australia ...

Recommended for you

Ride-sharing could cut cabs' road time by 30 percent

14 hours ago

Cellphone apps that find users car rides in real time are exploding in popularity: The car-service company Uber was recently valued at $18 billion, and even as it faces legal wrangles, a number of companies ...

Avatars make the Internet sign to deaf people

Aug 29, 2014

It is challenging for deaf people to learn a sound-based language, since they are physically not able to hear those sounds. Hence, most of them struggle with written language as well as with text reading ...

Chameleon: Cloud computing for computer science

Aug 26, 2014

Cloud computing has changed the way we work, the way we communicate online, even the way we relax at night with a movie. But even as "the cloud" starts to cross over into popular parlance, the full potential ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

HarryStottle
not rated yet Nov 19, 2007
and they would be a hundred times more secure for a fraction of the cost, if they simply implemented optional two factor authentication. You register your mobile phone with the credit card account. Every time you use your card (in a "live" transaction), they send a random 4 digit pin to your phone. You either key that in yourself or give the number to the checkout operator. (Doesn't matter if you're overheard, it's a one time key)

Thereafter, you have to lose both your card and your mobile phone in order to be ripped off. Report phone stolen. Network disables it. Cheap. Efficient. Available for 90% of all transactions on and offline.