New scoring system protects credit card transactions

November 08, 2007

As this year's holiday season approaches, your credit card transactions may be a little more secure thanks to standards adopted by the payment card industry. The latest incarnation of these standards include the Common Vulnerability Scoring System (CVSS) Version 2 that was coauthored this year by researchers at the National Institute of Standards and Technology and Carnegie Mellon University in collaboration with 23 other organizations.

When you make an electronic transaction--either swiping a card at a checkout counter or through a commercial Web site--you enter personal payment information into a computer. That information is sent to a payment-card "server," a computer system often run by the bank or merchant that sponsors the particular card. The server processes the payment data, communicates the transaction to the vendor, and authorizes the purchase.

According to NIST's Peter Mell, lead author of CVSS Version 2, a payment-card server is like a house with many doors. Each door represents a potential vulnerability in the operating system or programs. Attackers check to see if any of the "doors" are open, and if they find one, they can often take control of all or part of the server and potentially steal financial information, such as credit card numbers.

For every potential vulnerability, CVSS Version 2 calculates its risks on a scale from zero to 10, assesses how the vulnerability could compromise confidentiality (exposing private information such as credit card numbers), availability (could it be used to shut down the credit card system") and integrity (can it change credit card data"). The CVSS scores used by the credit card industry are those for the 28,000 vulnerabilities provided by the NIST National Vulnerability Database (NVD), sponsored by the Department of Homeland Security.

To assess the security of their servers, payment card vendors use software that scans their systems for vulnerabilities. To promote uniform standards in this important software, the PCI (Payment Card Industry) Security Standards Council, an industry organization, maintains the Approved Scanning Vendor (ASV) compliance program, which currently covers 135 vendors, including assessors who do onsite audits of PCI information security. By June 2008, all ASV scanners must use the current version of CVSS in order to identify security vulnerabilities and score them. Requiring ASV software to use CVSS, according to Bob Russo, General Manager of the PCI Security Standards Council, promotes consistency between vendors and ultimately provides good information for protecting electronic transactions. The council also plans to use NIST's upcoming enhancements to CVSS, which will go beyond scoring vulnerabilities to identify secure configurations on operation systems and applications.
-end-
To learn more, see:
CVSS Web site: www.first.org/cvss
National Vulnerability Database: http://nvd.nist.gov

National Institute of Standards and Technology (NIST)

Related Software Articles from Brightsurf:

Novel software assesses phonologial awareness
Understanding sounds in language is a critical building block for child literacy, yet this skill is often overlooked.

Software of autonomous driving systems
Researchers at TU Graz and AVL focus on software systems of autonomous driving systems.

New software supports decision-making for breeding
Researchers at the University of Göttingen have developed an innovative software program for the simulation of breeding programmes.

Software updates slowing you down?
We've all shared the frustration -- software updates that are intended to make our applications run faster inadvertently end up doing just the opposite.

Where is George? Ask this software to look at the crowd
Idtracker.ai is a mix of conventional algorithms and artificial intelligence developed at the Champalimaud Centre for the Unknown.

Research finds serious problems with forensic software
New research finds significant flaws in recently released forensic software designed to assess the age of individuals based on their skeletal remains.

Beta of Neurodata Without Borders software now available
Neuroscientists can now explore a beta version of the new Neurodata Without Borders: Neurophysiology (NWB:N 2.0) software and offer input to developers before it is fully released next year.

New software speeds origami structure designs
Researchers at Georgia Institute of Technology have developed a new computer-aided approach that streamlines the design process for origami-based structures, making it easier for engineers and scientists to conceptualize new ideas graphically while simultaneously generating the underlying mathematical data needed to build the structure in the real world.

International competition benchmarks metagenomics software
Communities of bacteria live everywhere: inside our bodies, on our bodies and all around us.

Preventing software from causing injury
Workplace injuries don't just come from lifting heavy things or falling off a ladder.

Read More: Software News and Software Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.