Shops in rush to meet card security rules

Retailers warned to update systems for PCI security standard

Time is running out for organisations that handle credit card payments to make their systems compliant with a new security standard, experts have warned.

In less than three months, the Payment Card Industry, which represents credit card companies, will bring in the PCI Data Security Standard (DSS) to help safeguard customer data.

But there are fears that many smaller retailers, in particular, will not be ready for the 30 June deadline and could face fines.

The PCI DSS sets requirements for the monitoring and storage of credit card information to four levels of security, depending on the volume of credit card transactions being handled.

Firms with large numbers of transactions are required to monitor closely all access to stored credit card information, and they can be audited quarterly at a cost of up to £10,000 a time to ensure best practice is adhered to.

The UK's largest retailer, Tesco, told Computer Weekly that it had been working on PCI DSS compliance for the past 18 months to ensure it was prepared for the change.

Nick Mourant, group treasurer at Tesco, said the firm had completed a gap analysis of its current configurations and had undertaken a risk assessment around any shortcomings.

He said Tesco was confident that any gaps in its PCI DSS compliance would be addressed over the course of the retailer's normal software refresh cycle.

John Lewis said it had appointed a project manager and had identified areas where work was required to meet the requirements of the PCI DSS. "We are in the process of producing a detailed implementation plan," a spokeswoman said.

However, the British Retail Consortium said that meeting the June deadline would be difficult for some of its members, adding, "So long as the retailer has a plan and budget, there is some flexibility."

Seana Pitt, chair of the PCI Security Standards Council, said, "Every­one has a role to play in keeping sensitive payment data secure." She urged retailers to be aware of where credit card data was being stored, and to eliminate non-essential data.

"Retailers should look to ensure that sensitive authentication data is not stored in their systems. They should scope their system to know where their data resides, become familiar with the PCI DSS and create action plans to become compliant," said Pitt.

Andrew McClelland, director of projects at online retailers trade body IMRG, said, "Everyone accepts the need for a standard, but PCI DSS is an extremely large and complex project."

At the same time, some commentators have warned that the new standard will not necessarily improve overall data security.

In his Computer Weekly risk assessment blog, Stuart King said, "I believe that [penalty] schemes have the potential to undermine the standard by turning it into an exercise in achieving the pass mark rather than a serious effort to protect data."

Related articles:


Comment on this article: [email protected]

David Lacey’s security blog
The latest ideas, best practices, and business issues associated with managing security

Stuart King’s risk management blog
Dealing with the operational challenges of information security and risk management


Read more on IT risk management