Market gets to grips with PCI, but pitfalls remain


Market gets to grips with PCI, but pitfalls remain

Ron Condon, UK bureau chief
After several false starts, companies handling credit card data are learning to live with the payment card industry's tough new security standards.

Large merchants are achieving compliance by working more closely with their acquiring banks, while the processes that smaller retailers have to go through have been streamlined and simplified.

Some small merchants have no idea about security, so it helps them understand
Bob Russo
General ManagerPCI Council
This week the PCI Council, an industry body representing more than 400 merchants, vendors and financial service organisations, unveiled a new range of self-assessment questionnaires (SAQs) that it said would help smaller merchants manage their compliance with PCI DSS (the Payment Card Industry Data Security Standard).

"The new SAQ tool will go a long way to furthering adoption, especially amongst Level 3 and 4 merchants. It derives from industry feedback," said Bob Russo, general manager of the PCI Council.

While the standard SAQ consists of 11 pages and contained 207 questions, the PCI Council has simplified the process by introducing four different slimmed-down SAQs for different types of smaller merchant. For instance, companies taking card numbers over the internet or by phone will now have only 20 questions to answer.

"Some small merchants have no idea about security, so it helps them understand," said Russo. "207 questions was too much for someone who is running a bike store, for example. All the questions in the new SAQs are explained in depth to show what they mean and why merchants need to answer them. It will make it a lot easier for Level 3 and 4 merchants. This questionnaire along with a quarterly scan is not going to be prohibitive. We expect to see the benefits in the coming months as more people start using the new SAQs."

Russo was in London to attend the Retail Business show, where several speakers outlined their own experiences of dealing with PCI DSS.

For the John Lewis Partnership, a large retailer with 26 department stores, 187 supermarkets and a thriving online presence, the process has been as much about keeping customer confidence as meeting standards. "Brand reputation is very, very important to us. We see PCI as helping maintain our reputation," said Jeff Toogood, project manager in charge of JLP's PCI compliance progamme.

He said the secret to compliance was "honest open communication with your acquirer. The acquirer can represent the merchants' interests to the card schemes, and they can offer useful advice and guidance." He now sends a monthly report to his acquirer outlining progress and any difficulties.

The JLP programme began in mid-2006, starting with a gap analysis and requirements gathering process that have only just completed. Toogood said early iterations of the standard had been unclear and open to interpretation, and the different deadlines demanded by Visa and MasterCard had only added to the confusion. "It didn't help with buy-in from the business. They couldn't see how it would add to the business," he said.

With the appointment of a QSA (Qualified System Assessor), he said he had more confidence in tackling the process of fulfilling all the requirements of PCI DSS.

We made the mistake of treating it as an IT project back in 2005 and the business just didn't buy into it
Matthew Linsey
Head of IT servicesFlybe
Buy-in from the business had also been a problem initially at the airline Flybe, which also outlined its experience at the conference. "We made the mistake of treating it as an IT project back in 2005 and the business just didn't buy into it," said Matthew Linsey, the company's head of IT services.

A relaunch in 2006 emphasised it as a financial project, and won support from the various departments affected. Flybe runs mainly short-haul flights and handles around 2.6 million card transactions a year, making it a Level 2 merchant. Around 70% of bookings come online, while others come through a call centre and ticket desks.

Chris Cooper, Flybe's IT security manager, said they had decided not to use a QSA, but had adopted RSA's Envision product to monitor events on the network and to help with PCI DSS reporting. "We wanted to collect logs and get value from them in tracking traffic, but we didn't want to employ 20 people to monitor screens. Envision does that for us," he said.

Amid the general mood of optimism, one note of warning came from Richard Braganza, a QSA with Verizon Business. His advice was aimed mainly at smaller merchants who are likely to sign up for a managed transaction service to handle credit card data rather than take on the responsibility themselves.

He said that the new PA DSS standard, due to be introduced in mid-2008 to regulate the quality of packaged payment software and systems, could hold some surprises. Software suppliers will have to get their products accredited by platform and version number to be acceptable to the card companies. That means that any new version of the software will have to be accredited once more.

Braganza warned that suppliers were likely to want to pass on any expenses to their customers. "Merchants need to ask the right questions," he said. "Most of the contracts I've looked at so far would allow the supplier to charge extra for every new version."

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy