Time is running out for organisations that handle credit
card payments to make their systems compliant with a new security
standard, experts have warned.
In less than three months, the
Payment Card Industry, which represents credit
card companies, will bring in the PCI Data Security Standard (DSS)
to help safeguard customer data.
But there are fears that many smaller retailers, in particular,
will not be ready for the 30 June deadline and could face
fines.
The PCI DSS sets requirements for the monitoring and storage of
credit card information to four levels of security, depending on
the volume of credit card transactions being handled.
Firms with large numbers of transactions are required to monitor
closely all access to stored credit card information, and they can
be audited quarterly at a cost of up to £10,000 a time to ensure
best practice is adhered to.
The UK's largest retailer, Tesco, told Computer Weekly that it
had been working on PCI DSS compliance for the past 18 months to
ensure it was prepared for the change.
Nick Mourant, group treasurer at Tesco, said the firm had
completed a gap analysis of its current configurations and had
undertaken a risk assessment around any shortcomings.
He said Tesco was confident that any gaps in its PCI DSS
compliance would be addressed over the course of the retailer's
normal software refresh cycle.
John Lewis said it had appointed a project manager and had
identified areas where work was required to meet the requirements
of the PCI DSS. "We are in the process of producing a detailed
implementation plan," a spokeswoman said.
However, the British Retail Consortium said that meeting the
June deadline would be difficult for some of its members, adding,
"So long as the retailer has a plan and budget, there is some
flexibility."
Seana Pitt, chair of the PCI Security Standards Council, said,
"Everyone has a role to play in keeping sensitive payment data
secure." She urged retailers to be aware of where credit card data
was being stored, and to eliminate non-essential data.
"Retailers should look to ensure that sensitive authentication
data is not stored in their systems. They should scope their system
to know where their data resides, become familiar with the PCI DSS
and create action plans to become compliant," said Pitt.
Andrew McClelland, director of projects at online retailers
trade body IMRG, said, "Everyone accepts the need for a standard,
but PCI DSS is an extremely large and complex project."
At the same time, some commentators have warned that the new
standard will not necessarily improve overall data security.
In his Computer Weekly risk assessment blog, Stuart King said,
"I believe that [penalty] schemes have the potential to undermine
the standard by turning it into an exercise in achieving the pass
mark rather than a serious effort to protect data."
Related articles:
https://www.pcisecuritystandards.org
http://www.mastercard.com/us/sdp/index.html
http://usa.visa.com/merchants/risk_management/cisp.html
http://www125.americanexpress.com/merchant/oam/ns/USEng/FrontServlet?request_type=navigate&page=dataSecurityRequirements
Comment on this article:
computer.weekly@rbi.co.uk
David Lacey’s security blog
The latest
ideas, best practices, and business issues associated with managing
security
Stuart King’s risk management blog
Dealing with
the operational challenges of information security and risk
management